zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1748s
max time network
1555s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
Size

111KB
MD5

e3564138588cba04c873bd054458f8b9
SHA1

157ec7421e1333b714d01a750b6d5d6517a92c45
SHA256

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
SHA512

2a2e8ce45a928bcffdb40ebf6559c1f071bb3feccfd9cfe355e593acb559ecf84858cf4474708d311317ab08b3f981eba7c8b80dceae973839a0eec9049665c8
SSDEEP

1536:3ui/9Xb791Wff4K84oeRnobxxm2ShclQaLMin8F5vAC+WEQbAmTjTpeyv0+gPzff:H/J7jWHT/oegcaQF5XEgHbpeyvfgT

Score

10^/10

zloader botnet persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 42 IoCs

Processes:

msiexec.exe

flow	pid	process
62	1628	msiexec.exe
66	1628	msiexec.exe
70	1628	msiexec.exe
73	1628	msiexec.exe
77	1628	msiexec.exe
82	1628	msiexec.exe
84	1628	msiexec.exe
104	1628	msiexec.exe
105	1628	msiexec.exe
106	1628	msiexec.exe
107	1628	msiexec.exe
108	1628	msiexec.exe
109	1628	msiexec.exe
110	1628	msiexec.exe
115	1628	msiexec.exe
116	1628	msiexec.exe
117	1628	msiexec.exe
118	1628	msiexec.exe
119	1628	msiexec.exe
120	1628	msiexec.exe
121	1628	msiexec.exe
125	1628	msiexec.exe
126	1628	msiexec.exe
127	1628	msiexec.exe
128	1628	msiexec.exe
129	1628	msiexec.exe
130	1628	msiexec.exe
131	1628	msiexec.exe
135	1628	msiexec.exe
136	1628	msiexec.exe
137	1628	msiexec.exe
138	1628	msiexec.exe
139	1628	msiexec.exe
140	1628	msiexec.exe
141	1628	msiexec.exe
145	1628	msiexec.exe
146	1628	msiexec.exe
147	1628	msiexec.exe
148	1628	msiexec.exe
149	1628	msiexec.exe
150	1628	msiexec.exe
151	1628	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hiuggi = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Cagu\\fyehgo.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 5084 set thread context of 1628 5084 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1628 msiexec.exe
Token: SeSecurityPrivilege 1628 msiexec.exe

description	pid	process	target process
PID 5084 set thread context of 1628	5084	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1628	msiexec.exe
Token: SeSecurityPrivilege	1628	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3932 wrote to memory of 5084	3932	regsvr32.exe	regsvr32.exe
PID 3932 wrote to memory of 5084	3932	regsvr32.exe	regsvr32.exe
PID 3932 wrote to memory of 5084	3932	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 1628	5084	regsvr32.exe	msiexec.exe
PID 5084 wrote to memory of 1628	5084	regsvr32.exe	msiexec.exe
PID 5084 wrote to memory of 1628	5084	regsvr32.exe	msiexec.exe
PID 5084 wrote to memory of 1628	5084	regsvr32.exe	msiexec.exe
PID 5084 wrote to memory of 1628	5084	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-136-0x0000000000E80000-0x0000000000EA1000-memory.dmp

Filesize
132KB

Download