Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 16:42
General
-
Target
3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll
-
Size
364KB
-
MD5
c8492a0451b8379fcf2d0134a787b79a
-
SHA1
5ee7bc744232d53edd327fdbd8a7a77561857738
-
SHA256
3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd
-
SHA512
3e97bcf4223d3f0b3743069154a072778ce0a41af8a93ac2c4d8fe44cbce9ea9224f1d3d8886c64cb95d42a289cc3ac0ca788ad2e4316f22a55298d92498b4b5
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
Attributes
-
build_id
15
rc4.plain
rsa_pubkey.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 5764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4780 -ip 47801⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3284-130-0x0000000000000000-mapping.dmp
-
memory/4780-131-0x0000000000000000-mapping.dmp
-
memory/4780-132-0x0000000000D30000-0x0000000000D5B000-memory.dmpFilesize
172KB
-
memory/4780-133-0x0000000000D30000-0x0000000000D5B000-memory.dmpFilesize
172KB