Analysis
-
max time kernel
138s -
max time network
21s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.1.19.0.vir.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.1.19.0.vir.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.1.19.0.vir.dll
-
Size
280KB
-
MD5
06cbf262293eb6689ce5d2e61c494f7a
-
SHA1
46ddf35b6ad2596d0fc666701fac599bc1f7b534
-
SHA256
ec9668cae1c65020021d2c633b68286944f1e6b1ddf5183d40ef823607e29cba
-
SHA512
375bf59d11e89955315deb1b2d36d16776dbbde2c5cab5ca2fe0d5f049aa30bac00643222a200126eb9a93a5e66e13b8ec39e29c2abbc356db8d301f1bb0768a
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
10/03
Campaign
https://dhteijwrb.host/milagrecf.php
C2
https://aquolepp.pw/milagrecf.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1292 set thread context of 1344 1292 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1344 msiexec.exe Token: SeSecurityPrivilege 1344 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aqop = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Iwiw\\oherz.dll,DllRegisterServer" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 828 wrote to memory of 1292 828 rundll32.exe rundll32.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe PID 1292 wrote to memory of 1344 1292 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.19.0.vir.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\zloader 2_1.1.19.0.vir.dll",#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-0-0x0000000000000000-mapping.dmp
-
memory/1344-1-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1344-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1344-3-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1344-4-0x0000000000000000-mapping.dmp