zloader | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
124s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Size

144KB
MD5

9e9bb42a965b89a9dce86c8b36b24799
SHA1

e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
SHA256

08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
SHA512

e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8
SSDEEP

3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

Score

10^/10

zloader botnet persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acyfigfe = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Fubob\\yfyhfoih.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4888 set thread context of 908 4888 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 908 msiexec.exe
Token: SeSecurityPrivilege 908 msiexec.exe

description	pid	process	target process
PID 4888 set thread context of 908	4888	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	908	msiexec.exe
Token: SeSecurityPrivilege	908	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3972 wrote to memory of 4888	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 4888	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 4888	3972	regsvr32.exe	regsvr32.exe
PID 4888 wrote to memory of 908	4888	regsvr32.exe	msiexec.exe
PID 4888 wrote to memory of 908	4888	regsvr32.exe	msiexec.exe
PID 4888 wrote to memory of 908	4888	regsvr32.exe	msiexec.exe
PID 4888 wrote to memory of 908	4888	regsvr32.exe	msiexec.exe
PID 4888 wrote to memory of 908	4888	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:8
1⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-0-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download