Analysis
-
max time kernel
65s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:15
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.1.21.0.vir.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.1.21.0.vir.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.1.21.0.vir.dll
-
Size
170KB
-
MD5
3718fe99f772c81aa908369cd7279eac
-
SHA1
34f02fba4e619d718b69bec2152a75683fa6a3c8
-
SHA256
c4f3e1c36ef734927967d40bba87fc620abe5c5049b0e67fd3cc3dab9c763c7a
-
SHA512
a86468e74665e1b26cb3233a84e4eae4c950b7c6ab24bd680c0da836cb8691eeae6b92dd8c603c1e03fcfc1c9c11f8a277b99a1d0d0b5e188ea03db4fc68df2c
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
goldhub
Campaign
18.03.2020
C2
https://105711.com/docs.php
https://209711.com/process.php
https://106311.com/comegetsome.php
https://124331.com/success.php
rc4.plain
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3588 wrote to memory of 3660 3588 rundll32.exe rundll32.exe PID 3588 wrote to memory of 3660 3588 rundll32.exe rundll32.exe PID 3588 wrote to memory of 3660 3588 rundll32.exe rundll32.exe PID 3660 wrote to memory of 3852 3660 rundll32.exe msiexec.exe PID 3660 wrote to memory of 3852 3660 rundll32.exe msiexec.exe PID 3660 wrote to memory of 3852 3660 rundll32.exe msiexec.exe PID 3660 wrote to memory of 3852 3660 rundll32.exe msiexec.exe PID 3660 wrote to memory of 3852 3660 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3660 set thread context of 3852 3660 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3852 msiexec.exe Token: SeSecurityPrivilege 3852 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ephyogu = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Oxzuy\\olcikuur.dll,DllRegisterServer" msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.21.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.21.0.vir.dll",#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application