Analysis
-
max time kernel
141s -
max time network
55s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:23
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.1.18.0.vir.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.1.18.0.vir.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.1.18.0.vir.dll
-
Size
276KB
-
MD5
3f5e18655426b5ffc62d65048187dfdc
-
SHA1
b785e3e416fe5a64dd518cefc1df2e8bb39e534e
-
SHA256
1dda49ee9286f6c433dd46056c690d02d2e7dea1f96e01dbe148136891d01bbd
-
SHA512
37d23977d2a36e30088a41236937b60a8b1173b44571e71213c78e9df335abfc5bbcc9986b77f508ac5dd5f61f3e0433bbbe7e11496947fa5a7378a66eefcd95
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
10/03
Campaign
https://dhteijwrb.host/milagrecf.php
C2
https://aquolepp.pw/milagrecf.php
rc4.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hibyt = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Sylio\\ulyc.dll,DllRegisterServer" msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 968 wrote to memory of 3824 968 rundll32.exe rundll32.exe PID 968 wrote to memory of 3824 968 rundll32.exe rundll32.exe PID 968 wrote to memory of 3824 968 rundll32.exe rundll32.exe PID 3824 wrote to memory of 2232 3824 rundll32.exe msiexec.exe PID 3824 wrote to memory of 2232 3824 rundll32.exe msiexec.exe PID 3824 wrote to memory of 2232 3824 rundll32.exe msiexec.exe PID 3824 wrote to memory of 2232 3824 rundll32.exe msiexec.exe PID 3824 wrote to memory of 2232 3824 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3824 set thread context of 2232 3824 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2232 msiexec.exe Token: SeSecurityPrivilege 2232 msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.18.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.18.0.vir.dll",#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken