zloader | 63f29f078acebb36b44d7875c4a54ec051736481ee85898a2ad7e28e2fe1dc08

General

Target

nocrypt.dll
Size

156KB
MD5

388cc3b6cd3ae537f404e235556d78ad
SHA1

2a41fdcb1e82af69fc6c41d572039204b16e43dd
SHA256

63f29f078acebb36b44d7875c4a54ec051736481ee85898a2ad7e28e2fe1dc08
SHA512

5edc123da2507e2bac2c642bce8b7654bc0c69c792cd1523dcc6766754220109040de2a2197a0314a47f0560cbd593a3f80606959654329b3af1af2de12584f2

Score

10^/10

trojan botnet zloader persistence spyware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1768 created 1236 1768 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 1768 created 1236	1768	rundll32.exe	Explorer.EXE

Blacklisted process makes network request 24 IoCs

Processes:

msiexec.exe

flow	pid	process
8	1588	msiexec.exe
10	1588	msiexec.exe
12	1588	msiexec.exe
14	1588	msiexec.exe
15	1588	msiexec.exe
16	1588	msiexec.exe
17	1588	msiexec.exe
18	1588	msiexec.exe
19	1588	msiexec.exe
20	1588	msiexec.exe
21	1588	msiexec.exe
22	1588	msiexec.exe
23	1588	msiexec.exe
24	1588	msiexec.exe
25	1588	msiexec.exe
26	1588	msiexec.exe
27	1588	msiexec.exe
28	1588	msiexec.exe
29	1588	msiexec.exe
30	1588	msiexec.exe
31	1588	msiexec.exe
32	1588	msiexec.exe
33	1588	msiexec.exe
34	1588	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1768 set thread context of 1588 1768 rundll32.exe msiexec.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1748 net.exe
1836 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

240 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

1768 rundll32.exe
1588 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1768 rundll32.exe
Token: SeSecurityPrivilege 1588 msiexec.exe
Token: SeSecurityPrivilege 1588 msiexec.exe

description	pid	process	target process
PID 1768 set thread context of 1588	1768	rundll32.exe	msiexec.exe

pid	process
1748	net.exe
1836	net.exe

pid	process
240	ipconfig.exe

pid	process
1768	rundll32.exe
1588	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	1768	rundll32.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

rundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1768	1516	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1768 wrote to memory of 1588	1768	rundll32.exe	msiexec.exe
PID 1588 wrote to memory of 300	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 300	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 300	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 300	1588	msiexec.exe	cmd.exe
PID 300 wrote to memory of 240	300	cmd.exe	ipconfig.exe
PID 300 wrote to memory of 240	300	cmd.exe	ipconfig.exe
PID 300 wrote to memory of 240	300	cmd.exe	ipconfig.exe
PID 300 wrote to memory of 240	300	cmd.exe	ipconfig.exe
PID 1588 wrote to memory of 1476	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1476	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1476	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1476	1588	msiexec.exe	cmd.exe
PID 1476 wrote to memory of 908	1476	cmd.exe	net.exe
PID 1476 wrote to memory of 908	1476	cmd.exe	net.exe
PID 1476 wrote to memory of 908	1476	cmd.exe	net.exe
PID 1476 wrote to memory of 908	1476	cmd.exe	net.exe
PID 908 wrote to memory of 968	908	net.exe	net1.exe
PID 908 wrote to memory of 968	908	net.exe	net1.exe
PID 908 wrote to memory of 968	908	net.exe	net1.exe
PID 908 wrote to memory of 968	908	net.exe	net1.exe
PID 1588 wrote to memory of 940	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 940	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 940	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 940	1588	msiexec.exe	cmd.exe
PID 940 wrote to memory of 1748	940	cmd.exe	net.exe
PID 940 wrote to memory of 1748	940	cmd.exe	net.exe
PID 940 wrote to memory of 1748	940	cmd.exe	net.exe
PID 940 wrote to memory of 1748	940	cmd.exe	net.exe
PID 1588 wrote to memory of 1452	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1452	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1452	1588	msiexec.exe	cmd.exe
PID 1588 wrote to memory of 1452	1588	msiexec.exe	cmd.exe
PID 1452 wrote to memory of 1836	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 1836	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 1836	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 1836	1452	cmd.exe	net.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nocrypt.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\nocrypt.dll,#1
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /all
3⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Modifies service
- Gathers network information
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net config workstation
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net.exe
net config workstation
4⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-7-0x0000000000000000-mapping.dmp

Download
memory/300-6-0x0000000000000000-mapping.dmp

Download
memory/908-9-0x0000000000000000-mapping.dmp

Download
memory/940-11-0x0000000000000000-mapping.dmp

Download
memory/968-10-0x0000000000000000-mapping.dmp

Download
memory/1292-5-0x000007FEF8560000-0x000007FEF87DA000-memory.dmp

Filesize
2.5MB

Download
memory/1452-13-0x0000000000000000-mapping.dmp

Download
memory/1476-8-0x0000000000000000-mapping.dmp

Download
memory/1588-3-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1588-4-0x0000000000000000-mapping.dmp

Download
memory/1588-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1588-1-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1748-12-0x0000000000000000-mapping.dmp

Download
memory/1768-0-0x0000000000000000-mapping.dmp

Download
memory/1836-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads