Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:22
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1.15.4.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader_1.15.4.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader_1.15.4.0.vir.exe
-
Size
352KB
-
MD5
a7aeb6dc35eeb3dfae02f9306d6426a1
-
SHA1
1f3fba90f7fc853319f8546568c7f9fbe5f1e0ee
-
SHA256
c7d7e6c6dc477e5fdb2b2a26eed1b53e77d455dbec8df800927a5bae69a2cc10
-
SHA512
3a493c066578f433da6bf2076d057f017d64fc3337a26e6dc327cf3592c8b56f36b855f03254ccadd61d98bcc47bcbe4f8e8e41302c28e746686fcf8f64af6e2
Score
1/10
Malware Config
Signatures
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 676 svchost.exe Token: SeCreatePagefilePrivilege 676 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
zloader_1.15.4.0.vir.exedescription pid process target process PID 3656 wrote to memory of 1876 3656 zloader_1.15.4.0.vir.exe explorer.exe PID 3656 wrote to memory of 1876 3656 zloader_1.15.4.0.vir.exe explorer.exe PID 3656 wrote to memory of 1876 3656 zloader_1.15.4.0.vir.exe explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zloader_1.15.4.0.vir.exepid process 3656 zloader_1.15.4.0.vir.exe 3656 zloader_1.15.4.0.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zloader_1.15.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.4.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman1⤵
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken