zloader | 29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366

General

Target

29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
Size

86KB
MD5

a758f5bfaeb275b5dfaf5be55a8b087b
SHA1

eff178dfef00ee753f4a540107632e43ec4a4ef9
SHA256

29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366
SHA512

7e96b281aa9433bb05073ff0ee9cb9d94384ef6cf9b801d11d5d420d647c79310f18485fab340afa8d0eb9bcdc64ec7cf885ee5636fc7edcfbbfe54ff208f364

Score

10^/10

evasion spyware trojan botnet zloader persistence

Malware Config

Signatures

Runs net.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1076 net.exe
1728 net.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1304 EXCEL.EXE
1304 EXCEL.EXE
1304 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1824 set thread context of 1560 1824 rundll32.exe msiexec.exe

pid	process
1076	net.exe
1728	net.exe

pid	process
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE

description	pid	process	target process
PID 1824 set thread context of 1560	1824	rundll32.exe	msiexec.exe

Blacklisted process makes network request 10 IoCs

Processes:

msiexec.exe

flow	pid	process
19	1560	msiexec.exe
20	1560	msiexec.exe
21	1560	msiexec.exe
22	1560	msiexec.exe
23	1560	msiexec.exe
24	1560	msiexec.exe
25	1560	msiexec.exe
26	1560	msiexec.exe
27	1560	msiexec.exe
28	1560	msiexec.exe

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1828	1304	rundll32.exe	EXCEL.EXE

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1824 rundll32.exe
1824 rundll32.exe
1824 rundll32.exe
1824 rundll32.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

pid	process
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

msiexec.exe

pid process

1560 msiexec.exe

pid	process
1560	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EXCEL.EXEmsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1304 EXCEL.EXE

pid	process
1304	EXCEL.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1304 wrote to memory of 1828	1304	EXCEL.EXE	rundll32.exe
PID 1304 wrote to memory of 1828	1304	EXCEL.EXE	rundll32.exe
PID 1304 wrote to memory of 1828	1304	EXCEL.EXE	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1824	1828	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1824 wrote to memory of 1560	1824	rundll32.exe	msiexec.exe
PID 1560 wrote to memory of 820	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 820	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 820	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 820	1560	msiexec.exe	cmd.exe
PID 820 wrote to memory of 2020	820	cmd.exe	ipconfig.exe
PID 820 wrote to memory of 2020	820	cmd.exe	ipconfig.exe
PID 820 wrote to memory of 2020	820	cmd.exe	ipconfig.exe
PID 820 wrote to memory of 2020	820	cmd.exe	ipconfig.exe
PID 1560 wrote to memory of 2044	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 2044	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 2044	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 2044	1560	msiexec.exe	cmd.exe
PID 2044 wrote to memory of 1460	2044	cmd.exe	net.exe
PID 2044 wrote to memory of 1460	2044	cmd.exe	net.exe
PID 2044 wrote to memory of 1460	2044	cmd.exe	net.exe
PID 2044 wrote to memory of 1460	2044	cmd.exe	net.exe
PID 1460 wrote to memory of 760	1460	net.exe	net1.exe
PID 1460 wrote to memory of 760	1460	net.exe	net1.exe
PID 1460 wrote to memory of 760	1460	net.exe	net1.exe
PID 1460 wrote to memory of 760	1460	net.exe	net1.exe
PID 1560 wrote to memory of 892	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 892	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 892	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 892	1560	msiexec.exe	cmd.exe
PID 892 wrote to memory of 1728	892	cmd.exe	net.exe
PID 892 wrote to memory of 1728	892	cmd.exe	net.exe
PID 892 wrote to memory of 1728	892	cmd.exe	net.exe
PID 892 wrote to memory of 1728	892	cmd.exe	net.exe
PID 1560 wrote to memory of 1496	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 1496	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 1496	1560	msiexec.exe	cmd.exe
PID 1560 wrote to memory of 1496	1560	msiexec.exe	cmd.exe
PID 1496 wrote to memory of 1076	1496	cmd.exe	net.exe
PID 1496 wrote to memory of 1076	1496	cmd.exe	net.exe
PID 1496 wrote to memory of 1076	1496	cmd.exe	net.exe
PID 1496 wrote to memory of 1076	1496	cmd.exe	net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1560 msiexec.exe
Token: SeSecurityPrivilege 1560 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1560	msiexec.exe
Token: SeSecurityPrivilege	1560	msiexec.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\29f4fa56df55b1b53b2a8a6b27d2816436a75153eaf0533cf7d788d7026d8366.xlsm
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" mHMUKpx.dll,DllRegisterServer
3⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
4⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /all
5⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
6⤵
- Modifies service
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net config workstation
5⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\net.exe
net config workstation
6⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
7⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all
5⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all /domain
5⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net.exe
net view /all /domain
6⤵
- Discovers systems in the same network
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Remote System Discovery

1

T1018

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\mHMUKpx.dll

Download Submit
\Users\Admin\Documents\mHMUKpx.dll

Download Submit
\Users\Admin\Documents\mHMUKpx.dll

Download Submit
\Users\Admin\Documents\mHMUKpx.dll

Download Submit
\Users\Admin\Documents\mHMUKpx.dll

Download Submit
memory/1560-5-0x0000000000090000-0x00000000000C7000-memory.dmp

Filesize
220KB

Download
memory/1560-6-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1560-7-0x0000000000090000-0x00000000000C7000-memory.dmp

Filesize
220KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads