Analysis
-
max time kernel
127s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 02:33
General
-
Target
acc5fe0088037ddc055f9286380c56583effa1186afe9d08caea3e197b2643fd.dll
-
Size
764KB
-
MD5
ebc6187124521528375d17372a16ae94
-
SHA1
1aee7da350e939d1686cd52c258f05270e63f990
-
SHA256
acc5fe0088037ddc055f9286380c56583effa1186afe9d08caea3e197b2643fd
-
SHA512
6e8f3dbc3a3121c00b6574558be8acc3331e7a8b7ca6aa2ae354d9d6ae62a69ffc3541f40b16cd0fb5364dd9f4ec430639a1ffaec987fa2d4dfd0850930f56f5
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
17/03
C2
https://dhteijwrb.host/milagrecf.php
https://aquolepp.pw/milagrecf.php
Attributes
-
build_id
92
rc4.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acc5fe0088037ddc055f9286380c56583effa1186afe9d08caea3e197b2643fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acc5fe0088037ddc055f9286380c56583effa1186afe9d08caea3e197b2643fd.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
8KB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
196KB
-
Filesize
872KB