Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:23
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.0.18.0.vir.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.0.18.0.vir.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.0.18.0.vir.dll
-
Size
448KB
-
MD5
a233e89a46b954cd46e6d543b96fd884
-
SHA1
de323c3e4f362739cc6cf0a9989fbde6633d3bd5
-
SHA256
38115c7bdc10cc2981e9ab126d98f5ccab66a4d4d787b90a704ba3823b07fb67
-
SHA512
1bd3263c02060ec4444c07522610a440a16a5af1fde63edc0b9cf8564083abd812dab136c944f7a121f507a06413986e879cfe4c1cd5a7596143bf394a6aed84
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
24/02
Campaign
https://soficatan.site/milagrecf.php
C2
https://barbeyo.xyz/milagrecf.php
rc4.plain
Signatures
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1388 wrote to memory of 1444 1388 rundll32.exe rundll32.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe PID 1444 wrote to memory of 1816 1444 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1444 set thread context of 1816 1444 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1816 msiexec.exe Token: SeSecurityPrivilege 1816 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ubybo = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Addohu\\guyc.dll,DllRegisterServer" msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.18.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.18.0.vir.dll",#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1444-0-0x0000000000000000-mapping.dmp
-
memory/1816-1-0x0000000000090000-0x00000000000B5000-memory.dmpFilesize
148KB
-
memory/1816-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1816-3-0x0000000000090000-0x00000000000B5000-memory.dmpFilesize
148KB
-
memory/1816-4-0x0000000000000000-mapping.dmp