zloader | 023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82

Resubmissions

15-11-2023 11:10

231115-m96hzsgb22 10

02-05-2022 23:45

220502-3rtpgaeghq 10

Analysis

max time kernel
1086s
max time network
1088s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe
Size

2.6MB
MD5

fb95561e8ed7289d015e945ad470e6db
SHA1

03573bc869701cffd7c96e223633d46b0a23823a
SHA256

023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82
SHA512

2a0bf4048c1a9eca9e13566b1512403b51462c8eb71cfb273225fbc221aa156a3d3eb571fa5328ff2f4e2ef7026b3e8847f0c0a739d8f989ba716efa411821a6
SSDEEP

6144:sTlCgffOYPE99pqcLE9zn0HJGsfb7cwhl7e/:sJfWP9p1Lgzmbgye/

Score

10^/10

zloader pref fpref botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

pref

Campaign

fpref

http://penaz.info/gate.php

http:// advokat-hodonin.info/gate.php

Attributes

build_id
7

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yvqezau = "C:\\Users\\Admin\\AppData\\Roaming\\Afzyit\\tisee.exe"	msiexec.exe

Blocklisted process makes network request 49 IoCs

Processes:

msiexec.exe

flow	pid	process
4	840	msiexec.exe
5	840	msiexec.exe
8	840	msiexec.exe
10	840	msiexec.exe
12	840	msiexec.exe
14	840	msiexec.exe
15	840	msiexec.exe
16	840	msiexec.exe
17	840	msiexec.exe
18	840	msiexec.exe
19	840	msiexec.exe
20	840	msiexec.exe
21	840	msiexec.exe
22	840	msiexec.exe
23	840	msiexec.exe
24	840	msiexec.exe
28	840	msiexec.exe
29	840	msiexec.exe
30	840	msiexec.exe
31	840	msiexec.exe
32	840	msiexec.exe
33	840	msiexec.exe
34	840	msiexec.exe
35	840	msiexec.exe
36	840	msiexec.exe
37	840	msiexec.exe
38	840	msiexec.exe
39	840	msiexec.exe
40	840	msiexec.exe
41	840	msiexec.exe
42	840	msiexec.exe
43	840	msiexec.exe
44	840	msiexec.exe
45	840	msiexec.exe
46	840	msiexec.exe
47	840	msiexec.exe
48	840	msiexec.exe
49	840	msiexec.exe
50	840	msiexec.exe
51	840	msiexec.exe
54	840	msiexec.exe
56	840	msiexec.exe
57	840	msiexec.exe
58	840	msiexec.exe
59	840	msiexec.exe
60	840	msiexec.exe
61	840	msiexec.exe
63	840	msiexec.exe
65	840	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe

description	pid	process	target process
PID 2260 set thread context of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 840 msiexec.exe
Token: SeSecurityPrivilege 840 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	840	msiexec.exe
Token: SeSecurityPrivilege	840	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe

description	pid	process	target process
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe
PID 2260 wrote to memory of 840	2260	023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe
"C:\Users\Admin\AppData\Local\Temp\023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Adds Run key to start application
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab79B4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A24.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/840-5-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/840-6-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/840-7-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/2260-0-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2260-1-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2260-4-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2260-8-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download