Analysis
-
max time kernel
149s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 08:09
Static task
static1
Behavioral task
behavioral1
Sample
Z15L.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Z15L.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Z15L.exe
-
Size
535KB
-
MD5
8201a2b265f439d26d57f1956b82a1fb
-
SHA1
1ef71a20564a1a6c26c4467fd10b24337cd1cc9c
-
SHA256
d3e1f5cc557fedb2c060faa7f234f4a09ba408c428e1c2275b2e713e0bf68db7
-
SHA512
7ebf6b7a31125d89d0c4a774d7b4e925a9a6c7ebd70961144f02d21e0a22cedd7163a0462843c4cb6e06f124814d427a0feed2b4e936465b43cc4fb6567666a2
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Z15L.exeInstallUtil.exemsdt.exepid process 1088 Z15L.exe 1088 Z15L.exe 1088 Z15L.exe 304 InstallUtil.exe 304 InstallUtil.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe 1508 msdt.exe -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 304 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
InstallUtil.exemsdt.exepid process 304 InstallUtil.exe 304 InstallUtil.exe 304 InstallUtil.exe 1508 msdt.exe 1508 msdt.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Z15L.exeInstallUtil.exemsdt.exedescription pid process Token: SeDebugPrivilege 1088 Z15L.exe Token: SeDebugPrivilege 304 InstallUtil.exe Token: SeDebugPrivilege 1508 msdt.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Z15L.exeExplorer.EXEmsdt.exedescription pid process target process PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1088 wrote to memory of 304 1088 Z15L.exe InstallUtil.exe PID 1276 wrote to memory of 1508 1276 Explorer.EXE msdt.exe PID 1276 wrote to memory of 1508 1276 Explorer.EXE msdt.exe PID 1276 wrote to memory of 1508 1276 Explorer.EXE msdt.exe PID 1276 wrote to memory of 1508 1276 Explorer.EXE msdt.exe PID 1508 wrote to memory of 1792 1508 msdt.exe cmd.exe PID 1508 wrote to memory of 1792 1508 msdt.exe cmd.exe PID 1508 wrote to memory of 1792 1508 msdt.exe cmd.exe PID 1508 wrote to memory of 1792 1508 msdt.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Z15L.exeInstallUtil.exemsdt.exedescription pid process target process PID 1088 set thread context of 304 1088 Z15L.exe InstallUtil.exe PID 304 set thread context of 1276 304 InstallUtil.exe Explorer.EXE PID 1508 set thread context of 1276 1508 msdt.exe Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Loads dropped DLL 1 IoCs
Processes:
Z15L.exepid process 1088 Z15L.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\Z15L.exe"C:\Users\Admin\AppData\Local\Temp\Z15L.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:304 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1508 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵PID:1792