eae37c008a65e02e2030f725e1a09c4154191462c41e672a08a77a410503ffd9

General

Target

Zylofuscator-main.zip
Size

6.7MB
MD5

7465a1227af057aaeb370153f62351b1
SHA1

2d5352d193f8037d5a0efd731a7789635abcc459
SHA256

eae37c008a65e02e2030f725e1a09c4154191462c41e672a08a77a410503ffd9
SHA512

b7d5452dad8b8d3ac20263119219270e2b49a9d243be79326486338d5eca176841c23a5c77d80ef7e92238ba5c0f7aa6af3c225b320112f95f6a41bc85a993a3
SSDEEP

98304:L0pdz/eV4dh8G6aioQPH1xx9waAMdGUxVBZAxGT:aY4v8GP5Q19wIdG0BIG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1248	Zylofuscatorgui.exe

Loads dropped DLL 6 IoCs

pid	Process
1248	Zylofuscatorgui.exe
1248	Zylofuscatorgui.exe
1248	Zylofuscatorgui.exe
1248	Zylofuscatorgui.exe
1248	Zylofuscatorgui.exe
1248	Zylofuscatorgui.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zylofuscatorgui.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4692	7zFM.exe
Token: 35	4692	7zFM.exe
Token: SeSecurityPrivilege	4692	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4692	7zFM.exe
4692	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Zylofuscator-main.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2844

C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Zylofuscatorgui.exe
"C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Zylofuscatorgui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE452BADA7\Zylofuscator-main\packages\dnlib.4.4.0\lib\net45\dnlib.xml

Filesize
1.8MB

MD5
4f66f6d14a67bbd0f70012557d88d17b

SHA1
d378a9d3fefa6b152c571471c0f137f10fff3151

SHA256
f453807c0866bdb424541c9297a4c55107143c0103cb84f23d070044f62b7273

SHA512
4ee56fd74dbbcaf4ba0ba41a10c4c88bde0d12b2a01afab71017acc1b604658ed9f64b03a0a0876d295c3591ff000f0fd75cdf622612027bd8860d811e6e7b34

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Guna.UI.dll

Filesize
1.1MB

MD5
8673eae95d67e5eb19f0eca3111408e8

SHA1
ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb

SHA256
576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d

SHA512
65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Guna.UI2.dll

Filesize
1.4MB

MD5
acec68d05e0b9b6c34a24da530dc07b2

SHA1
015eb32aad6f5309296c3a88f0c5ab1ba451d41e

SHA256
bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277

SHA512
d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Zylofuscatorgui.exe

Filesize
109KB

MD5
77c4eb4ce3cc9b317888bb71ded6ee87

SHA1
3445e78bb5b6a839dfde10cafd3bec29aca42bf2

SHA256
5c9ccc3fcfa29cdb1ab5c0141ddadf61335cb0de8a83ced7a826ee84c525be59

SHA512
771540e17c360371728c49dc8aef51eae0dc427fc3b0aab8f5fd402f140782ea42ede1ce99cddc8673e0561e80c0f23b492c5d86cff2cdd0027e3f6a34f9d290

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Zylofuscatorgui.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\Zylofuscatorgui.pdb

Filesize
127KB

MD5
ee5bf412aea819d907ffd16169b4a190

SHA1
e8b912ebd37a8b81410133eab58dfcf3182241ac

SHA256
21025b8dfbec55543999514df2677183293b1812ed2b526f096e17a9817ff88b

SHA512
9f607cdd974f3dfe2048da754831d1d6a5d8e564a09cc9662fed3a0bbc5e0a3f10c16a75017ce439a1164972bd62af5cba475de1777fedd573f39596fdc5a230

Download Submit
C:\Users\Admin\Desktop\Zylofuscator-main\Zylofuscatorgui\bin\Debug\dnlib.dll

Filesize
1.1MB

MD5
3d913aab7b1c514502c6a232e37d470e

SHA1
28ac2d1519ec5ea58b81fe40777645acc043b349

SHA256
bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff

SHA512
311e8f73c52dd65cbaf9f6e008b3231090ea99edf3471bac63cca4156a37a0d874ac590b19c01b15e05345bb6a5b636a11698bbd4e88c59c138dd3f358800027

Download Submit
memory/1248-131-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1248-140-0x00000000069B0000-0x0000000006A16000-memory.dmp

Filesize
408KB

Download
memory/1248-134-0x00000000056F0000-0x0000000005866000-memory.dmp

Filesize
1.5MB

Download
memory/1248-128-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/1248-135-0x0000000005680000-0x00000000056B2000-memory.dmp

Filesize
200KB

Download
memory/1248-127-0x0000000005890000-0x0000000005E36000-memory.dmp

Filesize
5.6MB

Download
memory/1248-139-0x0000000006D10000-0x0000000006E2A000-memory.dmp

Filesize
1.1MB

Download
memory/1248-129-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/1248-141-0x0000000006EA0000-0x0000000006F3C000-memory.dmp

Filesize
624KB

Download
memory/1248-142-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/1248-143-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download
memory/1248-126-0x00000000008A0000-0x00000000008C2000-memory.dmp

Filesize
136KB

Download
memory/1248-147-0x000000000A9A0000-0x000000000AAC6000-memory.dmp

Filesize
1.1MB

Download
memory/1248-125-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/1248-150-0x0000000075230000-0x00000000759E1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing