b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965

Resubmissions

27/11/2022, 22:48

221127-2rhrjaec38 8

27/11/2022, 22:43

221127-2nlzsahh4w 8

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zemana.AntiMalware.Setup.exe
Size

13.3MB
MD5

048ea3233e0e7611ab414684583c1421
SHA1

026e20baca271cbfea44fa2ce6f3e405ca5d263d
SHA256

b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965
SHA512

7ced1bb205695c9ed1556f597682ffd74c6207a48961668d2f2e1e2eca84929297a9321e6cc3112d8af1078edc7c9e54b1ff5a2657fbbc45df52e7baaa3565c6
SSDEEP

393216:yx6PWxMcegOTpxpCmJRSnqhMTU22r+YDJpZXtPq8:yx7qgmpxNJIqKTJ2r+0pZFl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\amsdk.sys	Zemana.AntiMalware.Setup.tmp

Executes dropped EXE 2 IoCs

pid	Process
1388	Zemana.AntiMalware.Setup.tmp
1864	ZemanaAntiMalwareSetup.tmp

Loads dropped DLL 4 IoCs

pid	Process
704	Zemana.AntiMalware.Setup.exe
1388	Zemana.AntiMalware.Setup.tmp
1012	ZemanaAntiMalwareSetup.exe
1864	ZemanaAntiMalwareSetup.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1388	Zemana.AntiMalware.Setup.tmp
1388	Zemana.AntiMalware.Setup.tmp
1864	ZemanaAntiMalwareSetup.tmp
1864	ZemanaAntiMalwareSetup.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 704 wrote to memory of 1388	704	Zemana.AntiMalware.Setup.exe	27
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30
PID 1012 wrote to memory of 1864	1012	ZemanaAntiMalwareSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\is-OSTBE.tmp\Zemana.AntiMalware.Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OSTBE.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$60126,13025042,780800,C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1388

C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\is-HGJG9.tmp\ZemanaAntiMalwareSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HGJG9.tmp\ZemanaAntiMalwareSetup.tmp" /SL5="$501C8,13025042,780800,C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HGJG9.tmp\ZemanaAntiMalwareSetup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSTBE.tmp\Zemana.AntiMalware.Setup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-HGJG9.tmp\ZemanaAntiMalwareSetup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-OSTBE.tmp\Zemana.AntiMalware.Setup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-PPORS.tmp\AMSDKCore399001.dll

Filesize
17.1MB

MD5
bd1cd3cb27c3687f70789c96bd324381

SHA1
474ac73892fcb8f2d7f44fabb8020dfd1cf415bd

SHA256
2c63c9035a5794423fcf360a685c321c0d1a4e72c4dca4c66a87d7a2157d3bb5

SHA512
c601946878720f83fe41e215cedbd00b71bcb0a81022becf8e78848693a9d4e82b57f9ee935999b4fa1500f21ade0727ad5b6c25a414e3c459d87bdb7706b953

Download Submit
\Users\Admin\AppData\Local\Temp\is-PQS9M.tmp\AMSDKCore399001.dll

Filesize
17.1MB

MD5
bd1cd3cb27c3687f70789c96bd324381

SHA1
474ac73892fcb8f2d7f44fabb8020dfd1cf415bd

SHA256
2c63c9035a5794423fcf360a685c321c0d1a4e72c4dca4c66a87d7a2157d3bb5

SHA512
c601946878720f83fe41e215cedbd00b71bcb0a81022becf8e78848693a9d4e82b57f9ee935999b4fa1500f21ade0727ad5b6c25a414e3c459d87bdb7706b953

Download Submit
memory/704-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/704-61-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/704-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/704-65-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1012-71-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1012-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1388-64-0x0000000003F30000-0x0000000005452000-memory.dmp

Filesize
21.1MB

Download
memory/1388-63-0x0000000003F31000-0x00000000043C9000-memory.dmp

Filesize
4.6MB

Download
memory/1864-75-0x0000000003DB1000-0x0000000004249000-memory.dmp

Filesize
4.6MB

Download
memory/1864-76-0x0000000003DB0000-0x00000000052D2000-memory.dmp

Filesize
21.1MB

Download