Analysis
-
max time kernel
40s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-12-2020 15:35
Static task
static1
General
-
Target
a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll
-
Size
367KB
-
MD5
f444b7d8129efac76e4d0fd557b2f674
-
SHA1
879270064a5b4834b3828a5cd7ed08537bc04287
-
SHA256
a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5
-
SHA512
ec46e467f1b42daa02a12b3f5403869cc3298c626beceee5b9c073d576eaa056e442fff829dac79b417d79457f3e0a8668b5aa8d50d722dca18558dce46efe28
Malware Config
Extracted
Family
zloader
Botnet
nut
Campaign
08/12
C2
https://nature4health.id/wp-punch.php
https://maschuquisaca.tk/wp-punch.php
https://serproimsas.com/wp-punch.php
https://agrospas.co.rs/wp-punch.php
https://fnxcrypto.com/server.php
https://lywakelireal.ga/wp-smarts.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 15 2176 msiexec.exe 17 2176 msiexec.exe 19 2176 msiexec.exe 21 2176 msiexec.exe 23 2176 msiexec.exe 25 2176 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1264 set thread context of 2176 1264 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2176 msiexec.exe Token: SeSecurityPrivilege 2176 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1192 wrote to memory of 1264 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 1264 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 1264 1192 rundll32.exe rundll32.exe PID 1264 wrote to memory of 2176 1264 rundll32.exe msiexec.exe PID 1264 wrote to memory of 2176 1264 rundll32.exe msiexec.exe PID 1264 wrote to memory of 2176 1264 rundll32.exe msiexec.exe PID 1264 wrote to memory of 2176 1264 rundll32.exe msiexec.exe PID 1264 wrote to memory of 2176 1264 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken