zloader | 191bbf8eafbe5dfcf56bb139f36d44724bdb9fd1e708cd29dfd2d7b2b916f9f2

Target

adfde0367ba639980632da58a5444005.dll
Size

429KB
MD5

adfde0367ba639980632da58a5444005
SHA1

451dd7d059eb7fd22bb7bb46e64de0a1436e6dc3
SHA256

191bbf8eafbe5dfcf56bb139f36d44724bdb9fd1e708cd29dfd2d7b2b916f9f2
SHA512

1726d83df12cbd9c2a07322925253053720a65d986b4acbb356240afbbed63589c163c7dacaf9a00242769d32943241af2edc6be7ea80e52ee2b041e1843508e

Score

10^/10

Malware Config

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oginwuq = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Soqin\\udpeym.dll"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2120 set thread context of 1100 2120 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1100 msiexec.exe
Token: SeSecurityPrivilege 1100 msiexec.exe

description	pid	process	target process
PID 2120 set thread context of 1100	2120	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1100	msiexec.exe
Token: SeSecurityPrivilege	1100	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3704 wrote to memory of 2120	3704	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 2120	3704	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 2120	3704	rundll32.exe	rundll32.exe
PID 2120 wrote to memory of 1100	2120	rundll32.exe	msiexec.exe
PID 2120 wrote to memory of 1100	2120	rundll32.exe	msiexec.exe
PID 2120 wrote to memory of 1100	2120	rundll32.exe	msiexec.exe
PID 2120 wrote to memory of 1100	2120	rundll32.exe	msiexec.exe
PID 2120 wrote to memory of 1100	2120	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adfde0367ba639980632da58a5444005.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3704

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1100-1-0x0000000003050000-0x0000000003079000-memory.dmp

Filesize
164KB

Download
memory/1100-2-0x0000000000000000-mapping.dmp

Download
memory/2120-0-0x0000000000000000-mapping.dmp

Download