Analysis

  • max time kernel
    149s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 08:09

General

  • Target

    Z15L.exe

  • Size

    535KB

  • MD5

    8201a2b265f439d26d57f1956b82a1fb

  • SHA1

    1ef71a20564a1a6c26c4467fd10b24337cd1cc9c

  • SHA256

    d3e1f5cc557fedb2c060faa7f234f4a09ba408c428e1c2275b2e713e0bf68db7

  • SHA512

    7ebf6b7a31125d89d0c4a774d7b4e925a9a6c7ebd70961144f02d21e0a22cedd7163a0462843c4cb6e06f124814d427a0feed2b4e936465b43cc4fb6567666a2

Score
8/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • Checks whether UAC is enabled
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\Z15L.exe
      "C:\Users\Admin\AppData\Local\Temp\Z15L.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Loads dropped DLL
      PID:1088
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetThreadContext
        PID:304
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
          PID:1792

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

    • \Users\Admin\AppData\Local\Temp\InstallUtil.exe

    • memory/304-4-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/304-5-0x000000000041E280-mapping.dmp

    • memory/1088-1-0x0000000000000000-0x0000000000000000-disk.dmp

    • memory/1508-7-0x0000000000000000-mapping.dmp

    • memory/1508-8-0x0000000000AD0000-0x0000000000BC4000-memory.dmp

      Filesize

      976KB

    • memory/1508-11-0x00000000032D0000-0x00000000033DC000-memory.dmp

      Filesize

      1.0MB

    • memory/1792-10-0x0000000000000000-mapping.dmp