b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965

General

Target

Zemana.AntiMalware.Setup.exe
Size

13.3MB
MD5

048ea3233e0e7611ab414684583c1421
SHA1

026e20baca271cbfea44fa2ce6f3e405ca5d263d
SHA256

b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965
SHA512

7ced1bb205695c9ed1556f597682ffd74c6207a48961668d2f2e1e2eca84929297a9321e6cc3112d8af1078edc7c9e54b1ff5a2657fbbc45df52e7baaa3565c6
SSDEEP

393216:yx6PWxMcegOTpxpCmJRSnqhMTU22r+YDJpZXtPq8:yx7qgmpxNJIqKTJ2r+0pZFl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\amsdk.sys	Zemana.AntiMalware.Setup.tmp
File opened for modification	C:\Windows\system32\drivers\amsdk.sys	ZemanaAntiMalwareSetup.tmp

Executes dropped EXE 2 IoCs

pid	Process
1780	Zemana.AntiMalware.Setup.tmp
1736	ZemanaAntiMalwareSetup.tmp

Loads dropped DLL 4 IoCs

pid	Process
1976	Zemana.AntiMalware.Setup.exe
1780	Zemana.AntiMalware.Setup.tmp
2016	ZemanaAntiMalwareSetup.exe
1736	ZemanaAntiMalwareSetup.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1780	Zemana.AntiMalware.Setup.tmp
1780	Zemana.AntiMalware.Setup.tmp
1736	ZemanaAntiMalwareSetup.tmp
1736	ZemanaAntiMalwareSetup.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
416	Process not Found
416	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 1976 wrote to memory of 1780	1976	Zemana.AntiMalware.Setup.exe	28
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31
PID 2016 wrote to memory of 1736	2016	ZemanaAntiMalwareSetup.exe	31

C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\is-HCB1P.tmp\Zemana.AntiMalware.Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HCB1P.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$70132,13025042,780800,C:\Users\Admin\AppData\Local\Temp\Zemana.AntiMalware.Setup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1780

C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\is-1T5NG.tmp\ZemanaAntiMalwareSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1T5NG.tmp\ZemanaAntiMalwareSetup.tmp" /SL5="$501CA,13025042,780800,C:\Users\Admin\AppData\Local\Temp\ZemanaAntiMalwareSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1T5NG.tmp\ZemanaAntiMalwareSetup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HCB1P.tmp\Zemana.AntiMalware.Setup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
C:\Windows\system32\drivers\amsdk.sys

Filesize
227KB

MD5
a83639773c1bd96a2953ea64a82ff863

SHA1
0e0464db821b1c3aee8d75f7fb28a3e0020cbdd7

SHA256
9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e

SHA512
0cc868992a0512b26149cecdf4b33559d9c0839479da4406be539246baf075fb5cd7393f6b87fcec48bb25c581163c9b9bb717953d1c65549adfac2aa983a9ee

Download Submit
\Users\Admin\AppData\Local\Temp\is-1T5NG.tmp\ZemanaAntiMalwareSetup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-84KDB.tmp\AMSDKCore399001.dll

Filesize
17.1MB

MD5
bd1cd3cb27c3687f70789c96bd324381

SHA1
474ac73892fcb8f2d7f44fabb8020dfd1cf415bd

SHA256
2c63c9035a5794423fcf360a685c321c0d1a4e72c4dca4c66a87d7a2157d3bb5

SHA512
c601946878720f83fe41e215cedbd00b71bcb0a81022becf8e78848693a9d4e82b57f9ee935999b4fa1500f21ade0727ad5b6c25a414e3c459d87bdb7706b953

Download Submit
\Users\Admin\AppData\Local\Temp\is-HCB1P.tmp\Zemana.AntiMalware.Setup.tmp

Filesize
2.9MB

MD5
ea91a08c1eb0733bb797bb6458f01fb9

SHA1
8d044f513e8bd9e790f862d210a09fa109b75bc8

SHA256
c0c7e61f5d7f57f14f6741d38514d265b48dccc267303d17b8195b1548736590

SHA512
45ab028ae2a05be7b6889a33109665fe414684d8900c6d9b0a645f970295c7f6e0279c49c458abf6d81978b981723108e1b2b4e070dde16f75e3e43e544497a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-SI7F3.tmp\AMSDKCore399001.dll

Filesize
17.1MB

MD5
bd1cd3cb27c3687f70789c96bd324381

SHA1
474ac73892fcb8f2d7f44fabb8020dfd1cf415bd

SHA256
2c63c9035a5794423fcf360a685c321c0d1a4e72c4dca4c66a87d7a2157d3bb5

SHA512
c601946878720f83fe41e215cedbd00b71bcb0a81022becf8e78848693a9d4e82b57f9ee935999b4fa1500f21ade0727ad5b6c25a414e3c459d87bdb7706b953

Download Submit
memory/1736-75-0x0000000003E51000-0x00000000042E9000-memory.dmp

Filesize
4.6MB

Download
memory/1736-76-0x0000000003E50000-0x0000000005372000-memory.dmp

Filesize
21.1MB

Download
memory/1780-63-0x0000000003E61000-0x00000000042F9000-memory.dmp

Filesize
4.6MB

Download
memory/1780-64-0x0000000003E60000-0x0000000005382000-memory.dmp

Filesize
21.1MB

Download
memory/1976-61-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1976-65-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1976-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2016-69-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2016-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2016-77-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2016-79-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Resubmissions

Analysis

Sharing