Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1.7.1.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader_1.7.1.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader_1.7.1.0.vir.exe
-
Size
2.9MB
-
MD5
03915a1f03df164f48ac4dfd04d9c2c4
-
SHA1
b3668d82afdbf2995c4195973525b0b00b8e21b1
-
SHA256
7c73619ff8d5e4ed3b29b7ae71a69602df4071fd8c1029f9674e9978cdc03de9
-
SHA512
5337c6dbc5986470bd4d48919537f4142ea47c08f77f148c223b609e361e8c83c98a55a399fa0e376972d1d379c0dd0bc0185af9e6a4820f9add7b9513576c5f
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
zloader_1.7.1.0.vir.exeexplorer.exeExplorer.EXEdescription pid process target process PID 3780 wrote to memory of 3964 3780 zloader_1.7.1.0.vir.exe explorer.exe PID 3780 wrote to memory of 3964 3780 zloader_1.7.1.0.vir.exe explorer.exe PID 3780 wrote to memory of 3964 3780 zloader_1.7.1.0.vir.exe explorer.exe PID 3964 wrote to memory of 2988 3964 explorer.exe Explorer.EXE PID 3964 wrote to memory of 2988 3964 explorer.exe Explorer.EXE PID 3964 wrote to memory of 2988 3964 explorer.exe Explorer.EXE PID 2988 wrote to memory of 1692 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 1692 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 1692 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 1692 2988 Explorer.EXE msiexec.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
NTFS ADS 1 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Olduo\ynuf.exe:Zone.Identifier Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zloader_1.7.1.0.vir.exepid process 3780 zloader_1.7.1.0.vir.exe 3780 zloader_1.7.1.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 2790 IoCs
Processes:
explorer.exeExplorer.EXEpid process 3964 explorer.exe 3964 explorer.exe 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE 2988 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeSecurityPrivilege 2988 Explorer.EXE Token: SeSecurityPrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\alyvpaweeppy = "C:\\Users\\Admin\\AppData\\Roaming\\Olduo\\ynuf.exe" Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
- Suspicious use of FindShellTrayWindow
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\zloader_1.7.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader_1.7.1.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3780-0-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/3964-1-0x0000000000000000-mapping.dmp
-
memory/3964-2-0x0000000000DE0000-0x000000000121F000-memory.dmpFilesize
4.2MB
-
memory/3964-3-0x0000000000DE0000-0x000000000121F000-memory.dmpFilesize
4.2MB