This document analyzes a malicious payload loader discovered in the wild. This code should NEVER be executed and is documented here for security research and educational purposes only.
This is a sophisticated malware loader written in C# that employs multiple evasion techniques to inject and execute encrypted shellcode into legitimate Windows processes. The malware disguises itself as a document file and uses process hollowing techniques to maintain persistence.
- Creates a suspended
explorer.exeprocess - Uses Windows Native API (
ZwCreateSection,ZwMapViewOfSection) for memory manipulation - Implements section-based process hollowing technique
- Encryption: AES (Rijndael) in ECB mode with PKCS7 padding
- Compression: GZIP decompression of encrypted payload
- Key:
164329457b343765(hardcoded)
- Decoy document deployment (
交广微贷易金融实名注册需求文档.docx) - File name manipulation and GUID-based temporary file creation
- Direct Native API usage to bypass user-mode hooks
1. Executable launched
↓
2. AES decryption of embedded shellcode
↓
3. GZIP decompression
↓
4. Create suspended explorer.exe process
↓
5. Create memory section and map to both local/remote processes
↓
6. Copy shellcode to mapped section
↓
7. Patch process entry point with jump to shellcode
↓
8. Resume thread (execute shellcode)
↓
9. Display decoy document to victim
交广微贷易金融实名注册需求文档.exe(Original executable)交广微贷易金融实名注册需求文档.docx(Decoy document)
- Suspicious process creation:
c:\\windows\\explorer.exe - Memory section mapping without corresponding file
- Entry point modification in suspended process
- Temp directory file operations with GUID naming
ZwCreateSectionZwMapViewOfSectionZwQueryInformationProcessCreateProcesswithCREATE_SUSPENDEDflag (0x4)- Direct PEB (Process Environment Block) manipulation
// Creates RWX memory sections
ZwCreateSection(PAGE_EXECUTE_READWRITE, SEC_COMMIT)
MapSection(target_process, PAGE_EXECUTE_READWRITE)- Generates x86/x64 assembly stubs (
MOV RAX/EAX, address; JMP RAX/EAX) - Overwrites legitimate process entry point
- Redirects execution flow to injected shellcode
- Chinese filename to potentially evade automated systems
- Decoy document distraction
- Encrypted payload (Base64 + AES)
- Native API usage (harder to hook)
| Technique ID | Technique Name | Description |
|---|---|---|
| T1055.012 | Process Injection: Process Hollowing | Creates suspended process and injects code |
| T1027 | Obfuscated Files or Information | AES encryption + GZIP compression |
| T1027.009 | Embedded Payloads | Shellcode embedded in executable |
| T1036.005 | Masquerading: Match Legitimate Name | Disguised as Chinese financial document |
| T1564.010 | Hide Artifacts: Process Argument Spoofing | Legitimate-looking explorer.exe process |
- Import of Rijndael/AES cryptographic functions
- String patterns: "ZwCreateSection", "ZwMapViewOfSection"
- Base64 encoded large blobs
- Chinese Unicode file paths combined with .exe/.docx
- Monitor
CreateProcesswith suspended flag - Track
ReadProcessMemory/WriteProcessMemoryacross process boundaries - Alert on PEB access from non-debugger processes
- Detect entry point modifications
- Analyze shellcode for C2 communication patterns
- Monitor for unusual outbound connections from explorer.exe
-
Prevention
- User awareness training (email attachments)
- Application whitelisting
- Disable macros and untrusted executables
-
Detection
- Deploy EDR solutions with behavior monitoring
- Enable Windows Defender Attack Surface Reduction rules
- Monitor for Native API abuse
-
Response
- Isolate affected systems immediately
- Capture memory dump before shutdown
- Analyze shellcode payload for additional IoCs
This analysis is provided for:
- Malware researchers
- Security operations teams
- Threat intelligence analysts
- Academic study
DO NOT attempt to execute, modify, or distribute this code. Unauthorized use may violate computer fraud and abuse laws.
- Windows Native API Documentation
- MITRE ATT&CK Framework
- Process Hollowing Techniques (T1055.012)
Analysis Date: 2025
Threat Level: HIGH
Classification: Loader/Injector Malware