Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 06:57

General

  • Target

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe

  • Size

    194KB

  • MD5

    09874cbb134851ff3b971960916ce5bb

  • SHA1

    42d32698f9513024f024eb6d1efcd9532ac1f622

  • SHA256

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533

  • SHA512

    502189cc108e8c8034d957a9b6b32c29731f9a4d0811ffd147ab3ff516144521c77234c1d114694b070965c4300f36410b607828cb961c56649e04cdd697ee05

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes
build_id
125
rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess ⋅ 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • suricata: ET MALWARE Zbot POST Request to C2

    suricata: ET MALWARE Zbot POST Request to C2

  • Blocklisted process makes network request ⋅ 3 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Program crash ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe
      "C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe"
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 376
        Program crash
        PID:3208
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      Blocklisted process makes network request
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3556 -ip 3556
    PID:3116

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/2100-133-0x0000000000000000-mapping.dmp
                          • memory/2100-134-0x0000000000430000-0x0000000000458000-memory.dmp
                          • memory/2100-135-0x0000000000430000-0x0000000000458000-memory.dmp
                          • memory/3556-130-0x0000000000A28000-0x0000000000A41000-memory.dmp
                          • memory/3556-131-0x00000000024C0000-0x00000000024E5000-memory.dmp
                          • memory/3556-132-0x0000000000400000-0x00000000008CE000-memory.dmp