Analysis

  • max time kernel
    103s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12-08-2020 18:03

General

  • Target

    yfuvqe.dll

  • Size

    389KB

  • MD5

    93c0cd9a47c5c28335e773c1f451f200

  • SHA1

    0c53b71e52a382f2a920df2d80048b01616c62c4

  • SHA256

    deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2

  • SHA512

    cf6ae7d6b2ecbb3cbfbd99c067dd7b7b94572991aee00d00fb423acce9edd234a8662e00943873dcbf0931115871356ab57191f8be3b9041a779ce2b02a39223

Score
10/10

Malware Config

Extracted

Family

zloader

Botnet

mk1

Campaign

mac2

C2

https://alesirovone.world/click.php

rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess ⋅ 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:1228
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
      Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:276
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/276-0-0x0000000000000000-mapping.dmp
                          • memory/1388-1-0x0000000000090000-0x00000000000BD000-memory.dmp
                          • memory/1388-2-0x00000000000C0000-0x00000000000C1000-memory.dmp
                          • memory/1388-3-0x0000000000090000-0x00000000000BD000-memory.dmp
                          • memory/1388-4-0x0000000000000000-mapping.dmp