Behavioral Report

max time kernel149s
max time network44s
platformwindows7_x64
resourcewin7-20220414-en
submitted20-05-2022 23:44

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll

Filesize

485KB

Completed

20-05-2022 23:56

Task

behavioral1

Score

10^/10

MD5

e4a088773d56d0f6e7d1582f100b5137

SHA1

5cf878a09b2de0b664467b928ad03453e5c1491e

SHA256

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543

SHA512

eea5d926f100f5ae136e2ea5c71530ff087349ed89aa069b1cc4490ca8bb0432e1013e953de6c56befd660acd673d388aeef3e9db0ced7cbd4dd71ed432f0f6d

zloader r1 r1 botnet trojan

Extracted

Family	zloader
Botnet	r1
Campaign	r1
C2	http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php
Attributes	build_id 17
rc4.plain
rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess
regsvr32.exe

Reported IOCs

description pid process target process

PID 1676 created 1296 1676 regsvr32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx

Description

Zloader is a malware strain that was initially discovered back in August 2015.

Tags

trojan botnet zloader
Suspicious use of SetThreadContext
regsvr32.exe

Reported IOCs

description pid process target process

PID 1676 set thread context of 916 1676 regsvr32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses
regsvr32.exe

Reported IOCs

pid process

1676 regsvr32.exe

description	pid	process	target process
PID 1676 created 1296	1676	regsvr32.exe	Explorer.EXE

description	pid	process	target process
PID 1676 set thread context of 916	1676	regsvr32.exe	msiexec.exe

pid	process
1676	regsvr32.exe

Suspicious use of AdjustPrivilegeToken

regsvr32.exemsiexec.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1676	regsvr32.exe
Token: SeSecurityPrivilege	916	msiexec.exe
Token: SeSecurityPrivilege	916	msiexec.exe

Suspicious use of WriteProcessMemory

regsvr32.exeregsvr32.exe

Reported IOCs

description	pid	process	target process
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

PID:1296

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll

Suspicious use of WriteProcessMemory

PID:1304

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll

Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1676

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Suspicious use of AdjustPrivilegeToken

PID:916

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/916-60-0x00000000000D0000-0x00000000000FD000-memory.dmp

Download
memory/916-62-0x00000000000D0000-0x00000000000FD000-memory.dmp

Download
memory/916-63-0x0000000000000000-mapping.dmp

Download
memory/916-65-0x00000000000D0000-0x00000000000FD000-memory.dmp

Download
memory/1304-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Download
memory/1676-58-0x0000000074970000-0x00000000749FB000-memory.dmp

Download
memory/1676-59-0x0000000074970000-0x00000000749FB000-memory.dmp

Download
memory/1676-55-0x0000000000000000-mapping.dmp

Download
memory/1676-56-0x0000000076451000-0x0000000076453000-memory.dmp

Download
memory/1676-57-0x0000000074970000-0x000000007499D000-memory.dmp

Download

Extracted

Filter: none

Reported IOCs

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title