cc59f4e889283e3dff30ef291a50234772901a99168cecc501f86e75dac3b7ef

General

Target

zloader_1.5.4.0.vir.exe
Size

115KB
MD5

c39aabd5a338b76aaf1479baf5b50461
SHA1

b04e684c0d733330d27bd6b456565b26690b49c3
SHA256

cc59f4e889283e3dff30ef291a50234772901a99168cecc501f86e75dac3b7ef
SHA512

b746dae281e43291590eccb9ef15aa10f40bfb527773080054835920432c2926133c19521df3b570d6e89cace0d8d228d6354e0a41f800a8918afd5def0d348f

Score

8^/10

upx

Malware Config

Signatures

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

zloader_1.5.4.0.vir.exezloader_1.5.4.0.vir.exe

description	pid	process	target process
PID 2460 wrote to memory of 3948	2460	zloader_1.5.4.0.vir.exe	cmd.exe
PID 2460 wrote to memory of 3948	2460	zloader_1.5.4.0.vir.exe	cmd.exe
PID 2460 wrote to memory of 3948	2460	zloader_1.5.4.0.vir.exe	cmd.exe
PID 2460 wrote to memory of 3872	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3872	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3872	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3836	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3836	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3836	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3340	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3340	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3340	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3804	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3804	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3804	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3820	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3820	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3820	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3816	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3816	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3816	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3840	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3840	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3840	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3864	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3864	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3864	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe
PID 3932 wrote to memory of 4056	3932	zloader_1.5.4.0.vir.exe	explorer.exe
PID 3932 wrote to memory of 4056	3932	zloader_1.5.4.0.vir.exe	explorer.exe
PID 3932 wrote to memory of 4056	3932	zloader_1.5.4.0.vir.exe	explorer.exe
PID 2460 wrote to memory of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2540 3892 WerFault.exe iexplore.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zloader_1.5.4.0.vir.exe

pid process

3932 zloader_1.5.4.0.vir.exe
3932 zloader_1.5.4.0.vir.exe

pid	pid_target	process	target process
2540	3892	WerFault.exe	iexplore.exe

pid	process
3932	zloader_1.5.4.0.vir.exe
3932	zloader_1.5.4.0.vir.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3892-1-0x0000000000400000-0x00000000009DC000-memory.dmp	upx
behavioral2/memory/3892-4-0x0000000000400000-0x00000000009DC000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

zloader_1.5.4.0.vir.exe

pid process

2460 zloader_1.5.4.0.vir.exe
2460 zloader_1.5.4.0.vir.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

zloader_1.5.4.0.vir.exeWerFault.exe

pid	process
2460	zloader_1.5.4.0.vir.exe
2460	zloader_1.5.4.0.vir.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

zloader_1.5.4.0.vir.exe

description	pid	process	target process
PID 2460 set thread context of 3892	2460	zloader_1.5.4.0.vir.exe	iexplore.exe
PID 2460 set thread context of 3932	2460	zloader_1.5.4.0.vir.exe	zloader_1.5.4.0.vir.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2540 WerFault.exe
Token: SeBackupPrivilege 2540 WerFault.exe
Token: SeDebugPrivilege 2540 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2540	WerFault.exe
Token: SeBackupPrivilege	2540	WerFault.exe
Token: SeDebugPrivilege	2540	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\zloader_1.5.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.5.4.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\zloader_1.5.4.0.vir.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3948

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3872

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3836

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3340

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3820

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3816

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3840

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3864

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 536
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Users\Admin\AppData\Local\Temp\zloader_1.5.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.5.4.0.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3932

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-13-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2540-8-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3892-11-0x000000000040D770-mapping.dmp

Download
memory/3892-1-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/3892-2-0x000000000040D770-mapping.dmp

Download
memory/3892-4-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/3892-12-0x000000000040D770-mapping.dmp

Download
memory/3892-10-0x000000000040D770-mapping.dmp

Download
memory/3932-3-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3932-5-0x0000000000401B70-mapping.dmp

Download
memory/3948-0-0x0000000000000000-mapping.dmp

Download
memory/4056-6-0x0000000000000000-mapping.dmp

Download
memory/4056-9-0x0000000001110000-0x000000000154F000-memory.dmp

Filesize
4.2MB

Download
memory/4056-7-0x0000000001110000-0x000000000154F000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads