Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.0.15.0.vir.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.0.15.0.vir.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.0.15.0.vir.dll
-
Size
128KB
-
MD5
33d2581d7d36acde729ce52c5d106d79
-
SHA1
48b9cbe0f6922d6c844ab7b7122bc0cd389bf711
-
SHA256
66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64
-
SHA512
75acc63cb9c38c0dd3d1759c93f38fc41e62b8853146267b6d80c7b979cf9bf281d3bd44519f1f6a9085d161a4a3d5abc5c71702c914382645e55af3fd6c8770
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 836 900 rundll32.exe rundll32.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe PID 836 wrote to memory of 1816 836 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 836 set thread context of 1816 836 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1816 msiexec.exe Token: SeSecurityPrivilege 1816 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ecehhyde = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ufef\\dudih.dll,DllRegisterServer" msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.15.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.15.0.vir.dll",#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-0-0x0000000000000000-mapping.dmp
-
memory/1816-1-0x0000000000110000-0x0000000000135000-memory.dmpFilesize
148KB
-
memory/1816-2-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1816-3-0x0000000000110000-0x0000000000135000-memory.dmpFilesize
148KB
-
memory/1816-4-0x0000000000000000-mapping.dmp