Overview

overview

10

Static

static

aed3dfe631...e1.exe

windows7_x64

10

aed3dfe631...e1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aed3dfe631190b233b06f472c55af6dd1d222bc07c3ac32284a29555bf6bf1e1.exe

  • Size

    204KB

  • MD5

    3c444a0943effa540416d6e44fbcb13d

  • SHA1

    e9d69e561e6adbac9e5db5375fd6b138d2fb3d2b

  • SHA256

    aed3dfe631190b233b06f472c55af6dd1d222bc07c3ac32284a29555bf6bf1e1

  • SHA512

    7496257548078d4f23229545d48f23a828c8afffca78bf6c0a3c4d78a2b83439629bff2d7b6753e78c214d1960abf1a535a61a8cfd25e10285228200b305781a

Score
10/10
zloadercanadaloadsnerinobotnetpersistencesuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://tempmailsin112.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadonroadonroad.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadtocaliss.com/bFnF0y1r/7QKpXmV3Pz.php

https://referrer222.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainfordee.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainforffeer.com/bFnF0y1r/7QKpXmV3Pz.php

https://torosdodos221.com/bFnF0y1r/7QKpXmV3Pz.php

https://morningcoffeeclasd.com/bFnF0y1r/7QKpXmV3Pz.php

https://rememberingtss.com/bFnF0y1r/7QKpXmV3Pz.php

https://dodavova012.com/bFnF0y1r/7QKpXmV3Pz.php
Attributes
  • build_id

    67

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • suricata: ET MALWARE Zbot POST Request to C2

    suricata: ET MALWARE Zbot POST Request to C2

    suricata
  • Blocklisted process makes network request 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aed3dfe631190b233b06f472c55af6dd1d222bc07c3ac32284a29555bf6bf1e1.exe
    "C:\Users\Admin\AppData\Local\Temp\aed3dfe631190b233b06f472c55af6dd1d222bc07c3ac32284a29555bf6bf1e1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 228
      2⤵
      • Program crash
      PID:4964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1040 -ip 1040
    1⤵
      PID:1256

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1040-130-0x0000000000B88000-0x0000000000BA2000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1040-131-0x0000000000B40000-0x0000000000B66000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1040-132-0x0000000000400000-0x00000000007EF000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/2436-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2436-134-0x00000000006C0000-0x00000000006E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2436-135-0x00000000006C0000-0x00000000006E9000-memory.dmp
      Filesize

      164KB

      Download