c7d7e6c6dc477e5fdb2b2a26eed1b53e77d455dbec8df800927a5bae69a2cc10 | Triage

Analysis

max time kernel
144s
max time network
146s
platform
windows10_x64
resource
win10v200430
submitted
19-07-2020 19:22

Sharing

Report Analysis Logs

General

Target

zloader_1.15.4.0.vir.exe
Size

352KB
MD5

a7aeb6dc35eeb3dfae02f9306d6426a1
SHA1

1f3fba90f7fc853319f8546568c7f9fbe5f1e0ee
SHA256

c7d7e6c6dc477e5fdb2b2a26eed1b53e77d455dbec8df800927a5bae69a2cc10
SHA512

3a493c066578f433da6bf2076d057f017d64fc3337a26e6dc327cf3592c8b56f36b855f03254ccadd61d98bcc47bcbe4f8e8e41302c28e746686fcf8f64af6e2

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 676 svchost.exe
Token: SeCreatePagefilePrivilege 676 svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

zloader_1.15.4.0.vir.exe

description	pid	process	target process
PID 3656 wrote to memory of 1876	3656	zloader_1.15.4.0.vir.exe	explorer.exe
PID 3656 wrote to memory of 1876	3656	zloader_1.15.4.0.vir.exe	explorer.exe
PID 3656 wrote to memory of 1876	3656	zloader_1.15.4.0.vir.exe	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zloader_1.15.4.0.vir.exe

pid process

3656 zloader_1.15.4.0.vir.exe
3656 zloader_1.15.4.0.vir.exe

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.4.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3656

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1876

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-0-0x0000000000000000-mapping.dmp

Download
memory/1876-1-0x0000000000EB0000-0x00000000012EF000-memory.dmp

Filesize
4.2MB

Download
memory/1876-2-0x0000000000EB0000-0x00000000012EF000-memory.dmp

Filesize
4.2MB

Download