Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
zloader_1.8.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
zloader_1.8.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
zloader_1.8.0.0.vir.exe
-
Size
3.3MB
-
MD5
8211a69a3a068265e8b9ab03e4546581
-
SHA1
e4e520c3ae68ab2ed566d1f090ef0dc5c8003b0e
-
SHA256
f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39
-
SHA512
5b52482d6de03084fcf06c846f59f6455ab3635b80c100d523f48ae780e4f31675948488f00005806416d76c4e056ca87a96d6db7dae9e80d941c2226dbf2075
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2798 IoCs
Processes:
explorer.exeExplorer.EXEpid process 2304 explorer.exe 2304 explorer.exe 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE 2964 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeSecurityPrivilege 2964 Explorer.EXE Token: SeSecurityPrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 2964 Explorer.EXE -
Blacklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 12 3888 msiexec.exe 13 3888 msiexec.exe 14 3888 msiexec.exe 15 3888 msiexec.exe 16 3888 msiexec.exe 17 3888 msiexec.exe -
NTFS ADS 1 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Omup\feemu.exe:Zone.Identifier Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
zloader_1.8.0.0.vir.exeexplorer.exeExplorer.EXEdescription pid process target process PID 792 wrote to memory of 2304 792 zloader_1.8.0.0.vir.exe explorer.exe PID 792 wrote to memory of 2304 792 zloader_1.8.0.0.vir.exe explorer.exe PID 792 wrote to memory of 2304 792 zloader_1.8.0.0.vir.exe explorer.exe PID 2304 wrote to memory of 2964 2304 explorer.exe Explorer.EXE PID 2304 wrote to memory of 2964 2304 explorer.exe Explorer.EXE PID 2304 wrote to memory of 2964 2304 explorer.exe Explorer.EXE PID 2964 wrote to memory of 3888 2964 Explorer.EXE msiexec.exe PID 2964 wrote to memory of 3888 2964 Explorer.EXE msiexec.exe PID 2964 wrote to memory of 3888 2964 Explorer.EXE msiexec.exe PID 2964 wrote to memory of 3888 2964 Explorer.EXE msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zloader_1.8.0.0.vir.exepid process 792 zloader_1.8.0.0.vir.exe 792 zloader_1.8.0.0.vir.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2964 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2964 Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\oloscyvo = "C:\\Users\\Admin\\AppData\\Roaming\\Omup\\feemu.exe" Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\zloader_1.8.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\zloader_1.8.0.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe2⤵
- Blacklisted process makes network request