Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 08:18
Static task
static1
Behavioral task
behavioral1
Sample
zloader.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zloader.exe
Resource
win10v20201028
General
-
Target
zloader.exe
-
Size
319KB
-
MD5
5034b55a6c699f749cccefdaf5e0f9b6
-
SHA1
ab45d5c6f15387452182628cb0a126842f695517
-
SHA256
04fc25369aa79c99f817ec025ad70a5f4cd9e1503c499e5ec42ec5f92e23c9a4
-
SHA512
b4323ecddf7fa46866fb3ff42ebaa9cb6cf7a86047058f4e8c11bd2e8b7963bd1e20d0d2e8b78b1a09188a5398af45fc0f295fc2ec7147e87b0249e3ae4c9eab
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
zloader.exedescription pid process target process PID 3424 created 3028 3424 zloader.exe Explorer.EXE -
Loads dropped DLL 1 IoCs
Processes:
zloader.exepid process 4684 zloader.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
zloader.exezloader.exedescription pid process target process PID 4684 set thread context of 3424 4684 zloader.exe zloader.exe PID 3424 set thread context of 2524 3424 zloader.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zloader.exepid process 3424 zloader.exe 3424 zloader.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
zloader.exepid process 4684 zloader.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
zloader.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3424 zloader.exe Token: SeSecurityPrivilege 2524 msiexec.exe Token: SeSecurityPrivilege 2524 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
zloader.exezloader.exedescription pid process target process PID 4684 wrote to memory of 3424 4684 zloader.exe zloader.exe PID 4684 wrote to memory of 3424 4684 zloader.exe zloader.exe PID 4684 wrote to memory of 3424 4684 zloader.exe zloader.exe PID 4684 wrote to memory of 3424 4684 zloader.exe zloader.exe PID 3424 wrote to memory of 2524 3424 zloader.exe msiexec.exe PID 3424 wrote to memory of 2524 3424 zloader.exe msiexec.exe PID 3424 wrote to memory of 2524 3424 zloader.exe msiexec.exe PID 3424 wrote to memory of 2524 3424 zloader.exe msiexec.exe PID 3424 wrote to memory of 2524 3424 zloader.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\zloader.exe"C:\Users\Admin\AppData\Local\Temp\zloader.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zloader.exe"C:\Users\Admin\AppData\Local\Temp\zloader.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv60D4.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/2524-5-0x0000000002E10000-0x0000000002E3C000-memory.dmpFilesize
176KB
-
memory/2524-6-0x0000000000000000-mapping.dmp
-
memory/3424-1-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3424-2-0x0000000000405940-mapping.dmp
-
memory/3424-3-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB