Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:50
Static task
static1
Behavioral task
behavioral1
Sample
zloader 2_1.0.10.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader 2_1.0.10.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader 2_1.0.10.0.vir.exe
-
Size
139KB
-
MD5
d91b498e5fc6c91e1e86b339407b58f7
-
SHA1
369e3c4646a69b99a797e0e288fd3145e2a6f35a
-
SHA256
cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9
-
SHA512
b981f7c4857327708233bf7e44bfb485c1cc7148ca850a63b12f854215edb583f5a499109d67b94f213226d23d0f4e0e5d04b888193fa5e799e30f051e9c9dbd
Score
8/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
zloader 2_1.0.10.0.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier zloader 2_1.0.10.0.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dyed = "C:\\Users\\Admin\\AppData\\Roaming\\Ifgoc\\guofhiib.exe" msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
zloader 2_1.0.10.0.vir.exedescription pid process target process PID 3100 wrote to memory of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe PID 3100 wrote to memory of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe PID 3100 wrote to memory of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe PID 3100 wrote to memory of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe PID 3100 wrote to memory of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zloader 2_1.0.10.0.vir.exedescription pid process target process PID 3100 set thread context of 3864 3100 zloader 2_1.0.10.0.vir.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3864 msiexec.exe Token: SeSecurityPrivilege 3864 msiexec.exe -
Blacklisted process makes network request 10 IoCs
Processes:
msiexec.exeflow pid process 31 3864 msiexec.exe 32 3864 msiexec.exe 33 3864 msiexec.exe 34 3864 msiexec.exe 35 3864 msiexec.exe 40 3864 msiexec.exe 41 3864 msiexec.exe 42 3864 msiexec.exe 43 3864 msiexec.exe 44 3864 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.10.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.10.0.vir.exe"1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request