Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:23
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.1.18.0.vir.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.1.18.0.vir.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.1.18.0.vir.dll
-
Size
276KB
-
MD5
3f5e18655426b5ffc62d65048187dfdc
-
SHA1
b785e3e416fe5a64dd518cefc1df2e8bb39e534e
-
SHA256
1dda49ee9286f6c433dd46056c690d02d2e7dea1f96e01dbe148136891d01bbd
-
SHA512
37d23977d2a36e30088a41236937b60a8b1173b44571e71213c78e9df335abfc5bbcc9986b77f508ac5dd5f61f3e0433bbbe7e11496947fa5a7378a66eefcd95
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
10/03
Campaign
https://dhteijwrb.host/milagrecf.php
C2
https://aquolepp.pw/milagrecf.php
rc4.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Icolni = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Vaubud\\qixu.dll,DllRegisterServer" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 596 896 rundll32.exe rundll32.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe PID 596 wrote to memory of 1872 596 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 596 set thread context of 1872 596 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1872 msiexec.exe Token: SeSecurityPrivilege 1872 msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.18.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.18.0.vir.dll",#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/596-0-0x0000000000000000-mapping.dmp
-
memory/1872-1-0x00000000000D0000-0x0000000000100000-memory.dmpFilesize
192KB
-
memory/1872-2-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1872-3-0x00000000000D0000-0x0000000000100000-memory.dmpFilesize
192KB
-
memory/1872-4-0x0000000000000000-mapping.dmp