Analysis
-
max time kernel
102s -
max time network
101s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-11-2020 20:00
Static task
static1
Behavioral task
behavioral1
Sample
2020-11-27-ZLoader-DLL-example-02.bin.dll
Resource
win7v20201028
General
-
Target
2020-11-27-ZLoader-DLL-example-02.bin.dll
-
Size
285KB
-
MD5
a14d7a30ec304ce96f88347b25cbb668
-
SHA1
092a7a2f5509b92adacacb3b9215e2e61ba633fc
-
SHA256
b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06
-
SHA512
939c778efa7ec498b4b8b3d3e0ef9e1ab2f71845ed9a5513673290240fd0ab88b378e5d0ac682da639c2809a070aa538f8f0da762d8d41e584ea2ef46cc64589
Malware Config
Extracted
zloader
vek
27/11
https://hac3r.com/wp-punch.php
https://womtools.com/wp-punch.php
https://valitec.co/wp-punch.php
https://empresascreciendobien.com/server.php
https://smartat.co/error.php
https://teamearenttopdiaty.ga/wp-smarts.php
Signatures
-
Blacklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 7 1572 msiexec.exe 9 1572 msiexec.exe 11 1572 msiexec.exe 13 1572 msiexec.exe 15 1572 msiexec.exe 17 1572 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1292 set thread context of 1572 1292 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 1572 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1292 1924 regsvr32.exe regsvr32.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe PID 1292 wrote to memory of 1572 1292 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-2-0x0000000000000000-mapping.dmp
-
memory/1572-3-0x0000000000090000-0x00000000000B6000-memory.dmpFilesize
152KB
-
memory/1572-4-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1572-5-0x0000000000090000-0x00000000000B6000-memory.dmpFilesize
152KB
-
memory/1572-6-0x0000000000000000-mapping.dmp
-
memory/1704-7-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmpFilesize
2.5MB