Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:54
Static task
static1
Behavioral task
behavioral1
Sample
zte(1).dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zte(1).dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
zte(1).dll
-
Size
473KB
-
MD5
13b3e008d5b8996c34a9247fbc412aa9
-
SHA1
6bcfb4f6385a4a78d39514763ed203ec7d4dc59f
-
SHA256
fa240d61efeb769d33cc081f2086ae6b65cda847a80440c82d97867fd1fbd6ab
-
SHA512
ee79fcdec5d4365a4a1d43cd60245917ac3a4128149d7c9666bccad7466e46d111d2c2901988643a835e2681011319909626d7f37dc12b3b6cbd20fa5b1efe30
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mofosu = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Niiqid\\yrenzys.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1300 set thread context of 544 1300 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 544 msiexec.exe Token: SeSecurityPrivilege 544 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 1300 2012 rundll32.exe rundll32.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe PID 1300 wrote to memory of 544 1300 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zte(1).dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zte(1).dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-1-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/544-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/544-3-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/544-4-0x0000000000000000-mapping.dmp
-
memory/1056-5-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmpFilesize
2.5MB
-
memory/1300-0-0x0000000000000000-mapping.dmp