zloader | 191bbf8eafbe5dfcf56bb139f36d44724bdb9fd1e708cd29dfd2d7b2b916f9f2

Target

adfde0367ba639980632da58a5444005.dll
Size

429KB
MD5

adfde0367ba639980632da58a5444005
SHA1

451dd7d059eb7fd22bb7bb46e64de0a1436e6dc3
SHA256

191bbf8eafbe5dfcf56bb139f36d44724bdb9fd1e708cd29dfd2d7b2b916f9f2
SHA512

1726d83df12cbd9c2a07322925253053720a65d986b4acbb356240afbbed63589c163c7dacaf9a00242769d32943241af2edc6be7ea80e52ee2b041e1843508e

Score

10^/10

trojan botnet zloader persistence

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oginwuq = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Soqin\\udpeym.dll"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 1100	2120	rundll32.exe	77

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1100	msiexec.exe
Token: SeSecurityPrivilege	1100	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2120	3704	rundll32.exe	67
PID 3704 wrote to memory of 2120	3704	rundll32.exe	67
PID 3704 wrote to memory of 2120	3704	rundll32.exe	67
PID 2120 wrote to memory of 1100	2120	rundll32.exe	77
PID 2120 wrote to memory of 1100	2120	rundll32.exe	77
PID 2120 wrote to memory of 1100	2120	rundll32.exe	77
PID 2120 wrote to memory of 1100	2120	rundll32.exe	77
PID 2120 wrote to memory of 1100	2120	rundll32.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adfde0367ba639980632da58a5444005.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\adfde0367ba639980632da58a5444005.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-1-0x0000000003050000-0x0000000003079000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General