Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:24
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1.4.1.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader_1.4.1.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader_1.4.1.0.vir.exe
-
Size
122KB
-
MD5
4fe348a6793b42a223caac836a16f7ca
-
SHA1
812a2f06977e0d7e59c7e32ce811eab7d3eff9f0
-
SHA256
4e6fa76a7436db34f333229ff4fb355a60a98038702b828c31b38bf70a325a62
-
SHA512
a308aa997d58b51c1fd9c70bbb4d40e1ea6439185de8758ca5373feb5196bcb5f3fe063e10eda27ec461320065c08fd7e876d0543529b1a15005c56c91ae0203
Score
3/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
zloader_1.4.1.0.vir.exedescription pid process target process PID 1356 wrote to memory of 1600 1356 zloader_1.4.1.0.vir.exe explorer.exe PID 1356 wrote to memory of 1600 1356 zloader_1.4.1.0.vir.exe explorer.exe PID 1356 wrote to memory of 1600 1356 zloader_1.4.1.0.vir.exe explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zloader_1.4.1.0.vir.exepid process 1356 zloader_1.4.1.0.vir.exe 1356 zloader_1.4.1.0.vir.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1612 1356 WerFault.exe zloader_1.4.1.0.vir.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1612 WerFault.exe Token: SeBackupPrivilege 1612 WerFault.exe Token: SeDebugPrivilege 1612 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zloader_1.4.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader_1.4.1.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 4082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1600-0-0x0000000000000000-mapping.dmp
-
memory/1600-1-0x0000000000BF0000-0x000000000102F000-memory.dmpFilesize
4.2MB
-
memory/1600-2-0x0000000000BF0000-0x000000000102F000-memory.dmpFilesize
4.2MB
-
memory/1612-3-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/1612-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB