Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1.8.0.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
zloader_1.8.0.0.vir.exe
Resource
win10
General
-
Target
zloader_1.8.0.0.vir.exe
-
Size
3.3MB
-
MD5
8211a69a3a068265e8b9ab03e4546581
-
SHA1
e4e520c3ae68ab2ed566d1f090ef0dc5c8003b0e
-
SHA256
f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39
-
SHA512
5b52482d6de03084fcf06c846f59f6455ab3635b80c100d523f48ae780e4f31675948488f00005806416d76c4e056ca87a96d6db7dae9e80d941c2226dbf2075
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
zloader_1.8.0.0.vir.exeexplorer.exeExplorer.EXEdescription pid process target process PID 1612 wrote to memory of 364 1612 zloader_1.8.0.0.vir.exe explorer.exe PID 1612 wrote to memory of 364 1612 zloader_1.8.0.0.vir.exe explorer.exe PID 1612 wrote to memory of 364 1612 zloader_1.8.0.0.vir.exe explorer.exe PID 1612 wrote to memory of 364 1612 zloader_1.8.0.0.vir.exe explorer.exe PID 364 wrote to memory of 1256 364 explorer.exe Explorer.EXE PID 364 wrote to memory of 1256 364 explorer.exe Explorer.EXE PID 364 wrote to memory of 1256 364 explorer.exe Explorer.EXE PID 1256 wrote to memory of 1104 1256 Explorer.EXE taskhost.exe PID 1256 wrote to memory of 1104 1256 Explorer.EXE taskhost.exe PID 1256 wrote to memory of 1184 1256 Explorer.EXE Dwm.exe PID 1256 wrote to memory of 1184 1256 Explorer.EXE Dwm.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1800 1256 Explorer.EXE msiexec.exe -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious use of UnmapMainImage 8727 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Blacklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 7 1800 msiexec.exe 8 1800 msiexec.exe 9 1800 msiexec.exe 10 1800 msiexec.exe 11 1800 msiexec.exe 12 1800 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciedsyodb = "C:\\Users\\Admin\\AppData\\Roaming\\Oral\\yzirk.exe" Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zloader_1.8.0.0.vir.exepid process 1612 zloader_1.8.0.0.vir.exe 1612 zloader_1.8.0.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 1414 IoCs
Processes:
explorer.exeExplorer.EXEpid process 364 explorer.exe 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 msiexec.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
NTFS ADS 1 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Oral\yzirk.exe:Zone.Identifier Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeSecurityPrivilege 1256 Explorer.EXE Token: SeSecurityPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
- Suspicious use of UnmapMainImage
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\zloader_1.8.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader_1.8.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Blacklisted process makes network request
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Oral\yzirk.exe
-
memory/364-0-0x0000000000000000-mapping.dmp
-
memory/364-1-0x00000000006C0000-0x0000000000941000-memory.dmpFilesize
2.5MB
-
memory/1104-2-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/1800-5-0x0000000000000000-mapping.dmp