zloader | 9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d

Analysis

max time kernel
599s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
Size

165KB
MD5

11346a6580159a53b49afde7b06409d3
SHA1

52352bc254b2c5a9c9343b42ecff2333696b2462
SHA256

9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d
SHA512

826094d548dd38d6c24332bd9e5103a862e59003e1ce319ab2165282e80f45745044ecc7df69e0d311b04114f17d6bc3b289723904f67e9078e645c6d0f52f3d
SSDEEP

3072:D35JbHcU122oCZaBrEvqxHFIPwS0CZFQYAqcisjkvTbV0jECnjol:D/bHtboiwEcGPwS02FBA3Z2bmjrnjol

Score

10^/10

zloader dllobnova 2020 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

2020

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

Attributes

build_id
68

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
33	1044	msiexec.exe
35	1044	msiexec.exe
37	1044	msiexec.exe
39	1044	msiexec.exe
41	1044	msiexec.exe
42	1044	msiexec.exe
43	1044	msiexec.exe
44	1044	msiexec.exe
45	1044	msiexec.exe
46	1044	msiexec.exe
47	1044	msiexec.exe
48	1044	msiexec.exe
49	1044	msiexec.exe
50	1044	msiexec.exe
51	1044	msiexec.exe
52	1044	msiexec.exe
53	1044	msiexec.exe
54	1044	msiexec.exe
55	1044	msiexec.exe
57	1044	msiexec.exe
59	1044	msiexec.exe
60	1044	msiexec.exe
61	1044	msiexec.exe
62	1044	msiexec.exe
63	1044	msiexec.exe
64	1044	msiexec.exe
65	1044	msiexec.exe
66	1044	msiexec.exe
67	1044	msiexec.exe
68	1044	msiexec.exe
69	1044	msiexec.exe
70	1044	msiexec.exe
71	1044	msiexec.exe
72	1044	msiexec.exe
73	1044	msiexec.exe
77	1044	msiexec.exe
78	1044	msiexec.exe
79	1044	msiexec.exe
80	1044	msiexec.exe
81	1044	msiexec.exe
82	1044	msiexec.exe
83	1044	msiexec.exe
84	1044	msiexec.exe
85	1044	msiexec.exe
86	1044	msiexec.exe
87	1044	msiexec.exe
88	1044	msiexec.exe
89	1044	msiexec.exe
90	1044	msiexec.exe
91	1044	msiexec.exe
92	1044	msiexec.exe
93	1044	msiexec.exe
94	1044	msiexec.exe
95	1044	msiexec.exe
96	1044	msiexec.exe
97	1044	msiexec.exe
98	1044	msiexec.exe
99	1044	msiexec.exe
100	1044	msiexec.exe
101	1044	msiexec.exe
102	1044	msiexec.exe
103	1044	msiexec.exe
104	1044	msiexec.exe
105	1044	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voxyfy = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Atapt\\ikri.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2208 set thread context of 1044 2208 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1044 msiexec.exe
Token: SeSecurityPrivilege 1044 msiexec.exe

description	pid	process	target process
PID 2208 set thread context of 1044	2208	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1044	msiexec.exe
Token: SeSecurityPrivilege	1044	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4904 wrote to memory of 2208	4904	regsvr32.exe	regsvr32.exe
PID 4904 wrote to memory of 2208	4904	regsvr32.exe	regsvr32.exe
PID 4904 wrote to memory of 2208	4904	regsvr32.exe	regsvr32.exe
PID 2208 wrote to memory of 1044	2208	regsvr32.exe	msiexec.exe
PID 2208 wrote to memory of 1044	2208	regsvr32.exe	msiexec.exe
PID 2208 wrote to memory of 1044	2208	regsvr32.exe	msiexec.exe
PID 2208 wrote to memory of 1044	2208	regsvr32.exe	msiexec.exe
PID 2208 wrote to memory of 1044	2208	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-133-0x0000000000000000-mapping.dmp

Download
memory/1044-134-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/1044-135-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/1044-136-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2208-132-0x0000000000000000-mapping.dmp

Download