2020-03-26 - INFORMATION_03_26.DOC PUSHES ZLOADER

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Extracting information_03_26.doc from the zip archive.

 


Shown above:  Artifact immediately dropped after enabling macros on information_03_26.doc.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  The initial DLL seen in today's wave for this campaign.  In this case, it's ZLoader.

 


Shown above:  Some of the decoy folders created along with the folder for the persistent ZLoader DLL.

 


Shown above:  Registry update to keep the ZLoader infection persistent.

 

Click here to return to the main page.