zloader | 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37

Resubmissions

10-09-2024 16:21

240910-ttserasepr 10

28-07-2020 23:07

200728-dgaye9ycja 10

Analysis

max time kernel
298s
max time network
300s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cYNhXOc.dll
Size

508KB
MD5

7bebb1b85a609733df0b3205406723bb
SHA1

384f07648c732cd9490b7d3bff41ce5a0911b138
SHA256

02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
SHA512

4147af9ed60d340218deb382374a015a3bb4cc4abc585e833e1a81ba21bf05f485e2a4cfc7b99223e9015ccda993c5ff19693ce7c00fb18701e66cd259422865
SSDEEP

6144:pThNEjn8Y+DbK916qEs+9RE3ZiK8jhUIBJawdcM+G7z7oqlpQYkYXlcYS:Zbg8Y+Db7qEs+MJZChUIBMvZA1kGd

Score

10^/10

zloader july28 july28 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

july28

Campaign

july28

https://vlcafxbdjtlvlcduwhga.com/web/post.php

https://softwareserviceupdater3.com/web/post.php

https://softwareserviceupdater4.com/web/post.php

Attributes

build_id
20

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 1488 created 1200	1488	regsvr32.exe	21

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 1488 set thread context of 2180	1488	regsvr32.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid	Process
1488	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

regsvr32.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	1488	regsvr32.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1376 wrote to memory of 1488	1376	regsvr32.exe	31
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32
PID 1488 wrote to memory of 2180	1488	regsvr32.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cYNhXOc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\cYNhXOc.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1488
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-0-0x0000000010079000-0x000000001007D000-memory.dmp

Filesize
16KB

Download
memory/1488-1-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/1488-2-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/1488-3-0x0000000010079000-0x000000001007D000-memory.dmp

Filesize
16KB

Download
memory/1488-12-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/2180-9-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2180-8-0x00000000000B0000-0x00000000000DB000-memory.dmp

Filesize
172KB

Download
memory/2180-11-0x00000000000B0000-0x00000000000DB000-memory.dmp

Filesize
172KB

Download
memory/2180-14-0x00000000000B0000-0x00000000000DB000-memory.dmp

Filesize
172KB

Download