zloader | 98a58a4f1a0b1305c473eeafa6dac80c2e2edd7e8aa8fe6d32ccac81318de1e5

Analysis

max time kernel
102s
max time network
103s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zte.dll
Size

473KB
MD5

00cc931e3c4ce21eaed78d8ee7352c35
SHA1

ee66e9cb16520de48a1efe4e09368067d9ee1a78
SHA256

98a58a4f1a0b1305c473eeafa6dac80c2e2edd7e8aa8fe6d32ccac81318de1e5
SHA512

1ba56fe37631544d8c0238183bf04aed3ffad09999183fef18bb84493502cfc7a3c4109f03062e0ef5b31f00a923e9b8e01eac1e788e52d66b074c2f8f5a16cb

Score

10^/10

zloader botnet persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xyzy = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Ceasl\\utopodel.dll"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1232 set thread context of 2528 1232 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 2528 msiexec.exe
Token: SeSecurityPrivilege 2528 msiexec.exe

description	pid	process	target process
PID 1232 set thread context of 2528	1232	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 2528	1232	rundll32.exe	msiexec.exe
PID 1232 wrote to memory of 2528	1232	rundll32.exe	msiexec.exe
PID 1232 wrote to memory of 2528	1232	rundll32.exe	msiexec.exe
PID 1232 wrote to memory of 2528	1232	rundll32.exe	msiexec.exe
PID 1232 wrote to memory of 2528	1232	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\zte.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\zte.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-0-0x0000000000000000-mapping.dmp

Download
memory/2528-1-0x0000000002C60000-0x0000000002C8B000-memory.dmp

Filesize
172KB

Download
memory/2528-2-0x0000000000000000-mapping.dmp

Download