zloader | 67b46301815d5ba32f90af114a459810902ba6d97a75821c8455b8103073b499 | Triage

Analysis

max time kernel
143s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:37

Sharing

Report Analysis Logs

General

Target

w.dll
Size

492KB
MD5

892fbc87fdbcbe9d91e17ae7355eb54c
SHA1

c0e25d2f02a768def644be6c248732da4f91495b
SHA256

67b46301815d5ba32f90af114a459810902ba6d97a75821c8455b8103073b499
SHA512

09c30eef3c57be57ef396ff1c2de92f0cff1b57bea0e56ab6401b844b4c5982c7a56f3ef708d0aff2bb6ea1baaef5cf39098b6623bc529c579b35ad73ea4039a

Score

10^/10

zloader botnet trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 14 IoCs

Processes:

msiexec.exe

flow	pid	process
25	3944	msiexec.exe
26	3944	msiexec.exe
27	3944	msiexec.exe
28	3944	msiexec.exe
29	3944	msiexec.exe
30	3944	msiexec.exe
32	3944	msiexec.exe
33	3944	msiexec.exe
34	3944	msiexec.exe
35	3944	msiexec.exe
36	3944	msiexec.exe
37	3944	msiexec.exe
39	3944	msiexec.exe
40	3944	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3648 set thread context of 3944 3648 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 3944 msiexec.exe
Token: SeSecurityPrivilege 3944 msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3408 wrote to memory of 3648	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 3648	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 3648	3408	rundll32.exe	rundll32.exe
PID 3648 wrote to memory of 3944	3648	rundll32.exe	msiexec.exe
PID 3648 wrote to memory of 3944	3648	rundll32.exe	msiexec.exe
PID 3648 wrote to memory of 3944	3648	rundll32.exe	msiexec.exe
PID 3648 wrote to memory of 3944	3648	rundll32.exe	msiexec.exe
PID 3648 wrote to memory of 3944	3648	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\w.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\w.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3648-0-0x0000000000000000-mapping.dmp

Download
memory/3944-1-0x0000000002F60000-0x0000000002F8B000-memory.dmp

Filesize
172KB

Download
memory/3944-2-0x0000000000000000-mapping.dmp

Download