Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-10-2021 22:36
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1_0_2_0.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader_1_0_2_0.dll
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader_1_0_2_0.dll
-
Size
338KB
-
MD5
62d565051f3cae6d6bc8971420bec819
-
SHA1
b6c0f532108a3b392e9d8c1b0cfbf85cf8aa8fb3
-
SHA256
f1bdd2bcbaf40bb99224fa293edc1581fd124da63c035657918877901d79bed8
-
SHA512
c1401aeb4788ff39a501529ab3cd55223570404657be98c137326d76f7a23e5bf6dbb1faefd609519819c509ffcfd4d47f06c09afacad460485fbda9eb87d9ff
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biehibb = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hegi\\ocyh.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2504 set thread context of 2668 2504 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2668 msiexec.exe Token: SeSecurityPrivilege 2668 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2416 wrote to memory of 2504 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2504 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2504 2416 rundll32.exe rundll32.exe PID 2504 wrote to memory of 2668 2504 rundll32.exe msiexec.exe PID 2504 wrote to memory of 2668 2504 rundll32.exe msiexec.exe PID 2504 wrote to memory of 2668 2504 rundll32.exe msiexec.exe PID 2504 wrote to memory of 2668 2504 rundll32.exe msiexec.exe PID 2504 wrote to memory of 2668 2504 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zloader_1_0_2_0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zloader_1_0_2_0.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2504-115-0x0000000000000000-mapping.dmp
-
memory/2504-116-0x00000000735A0000-0x00000000735C9000-memory.dmpFilesize
164KB
-
memory/2504-117-0x00000000735A0000-0x0000000073EFE000-memory.dmpFilesize
9.4MB
-
memory/2504-118-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2668-119-0x0000000000000000-mapping.dmp
-
memory/2668-122-0x0000000000A30000-0x0000000000A59000-memory.dmpFilesize
164KB