Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 10:24
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume7/imaginaryC2-master/examples/use-case-9-zloader/zloader-imaginary-c2/server_da.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume7/imaginaryC2-master/examples/use-case-9-zloader/zloader-imaginary-c2/server_da.dll
Resource
win10v2004-20240226-en
General
-
Target
Device/HarddiskVolume7/imaginaryC2-master/examples/use-case-9-zloader/zloader-imaginary-c2/server_da.dll
-
Size
838KB
-
MD5
57138593c18492f813e426719ebed2e8
-
SHA1
7d44bd7d83dace54b68f93ef16b7a70173dc9ccf
-
SHA256
d0226de456f5fb75ae7588d57bb9368848aa01afae86893d6da2b95098080c97
-
SHA512
57097f8dea1681713ebe983f2e1829ea21536c1bb867865b65ce8497fca67ca89ae148f0a77bdd9c5622b60b29344a83bfea9b09cbf388336c764840b5e32daa
-
SSDEEP
6144:oxG3wZYnmy+9Mw6PeJ/Oubatb6pf4Pbjmr9UnbNzLLxsw:NwZYn72hSS9gbNzLLOw
Malware Config
Extracted
zloader
main
26.04.2020
https://coult.org/sound.php
https://chorbly.org/sound.php
https://kodray.org/sound.php
https://retualeigh.com/sound.php
https://grually.com/sound.php
https://footmess.com/sound.php
https://rarigussa.com/sound.php
https://pacallse.com/sound.php
-
build_id
47
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycgoe = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Neokqo\\osip.dll,DllRegisterServer" msiexec.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 323 4948 msiexec.exe 325 4948 msiexec.exe 338 4948 msiexec.exe 341 4948 msiexec.exe 352 4948 msiexec.exe 355 4948 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3796 set thread context of 4948 3796 rundll32.exe 102 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4948 msiexec.exe Token: SeSecurityPrivilege 4948 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3924 wrote to memory of 3796 3924 rundll32.exe 87 PID 3924 wrote to memory of 3796 3924 rundll32.exe 87 PID 3924 wrote to memory of 3796 3924 rundll32.exe 87 PID 3796 wrote to memory of 4948 3796 rundll32.exe 102 PID 3796 wrote to memory of 4948 3796 rundll32.exe 102 PID 3796 wrote to memory of 4948 3796 rundll32.exe 102 PID 3796 wrote to memory of 4948 3796 rundll32.exe 102 PID 3796 wrote to memory of 4948 3796 rundll32.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume7\imaginaryC2-master\examples\use-case-9-zloader\zloader-imaginary-c2\server_da.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume7\imaginaryC2-master\examples\use-case-9-zloader\zloader-imaginary-c2\server_da.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-