Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
Commercial Invoice & PL - TWNYC3469342.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Commercial Invoice & PL - TWNYC3469342.scr
Resource
win10v20201028
General
-
Target
Commercial Invoice & PL - TWNYC3469342.scr
-
Size
787KB
-
MD5
cc41e556572c9bf5ba045f89198f7b98
-
SHA1
47f2431463872774d27e3ce89999bc69b0fdab2f
-
SHA256
2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
-
SHA512
72391718a6e316bf8e72a2f2dfb4b5d889034c2300307562d4548ef6be896632eb23f0203f69c2b93a01bdb154ce8ba2512b0bc4aa832acea028f6d283428525
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
zoxexoub.exezoxexoub.exepid process 1752 zoxexoub.exe 684 zoxexoub.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 6 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exepid process 1380 Commercial Invoice & PL - TWNYC3469342.scr 1380 Commercial Invoice & PL - TWNYC3469342.scr 1380 Commercial Invoice & PL - TWNYC3469342.scr 1380 Commercial Invoice & PL - TWNYC3469342.scr 684 zoxexoub.exe 684 zoxexoub.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
zoxexoub.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Currentversion\Run zoxexoub.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ymigdobox = "C:\\Users\\Admin\\AppData\\Roaming\\Tigeanaba\\zoxexoub.exe" zoxexoub.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run zoxexoub.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exedescription pid process target process PID 1936 set thread context of 1380 1936 Commercial Invoice & PL - TWNYC3469342.scr Commercial Invoice & PL - TWNYC3469342.scr PID 1752 set thread context of 684 1752 zoxexoub.exe zoxexoub.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrzoxexoub.exezoxexoub.exepid process 1936 Commercial Invoice & PL - TWNYC3469342.scr 1380 Commercial Invoice & PL - TWNYC3469342.scr 1752 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe 684 zoxexoub.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exepid process 1936 Commercial Invoice & PL - TWNYC3469342.scr 1752 zoxexoub.exe -
Suspicious use of AdjustPrivilegeToken 940 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exedescription pid process Token: SeSecurityPrivilege 1380 Commercial Invoice & PL - TWNYC3469342.scr Token: SeSecurityPrivilege 1380 Commercial Invoice & PL - TWNYC3469342.scr Token: SeSecurityPrivilege 1380 Commercial Invoice & PL - TWNYC3469342.scr Token: SeSecurityPrivilege 1380 Commercial Invoice & PL - TWNYC3469342.scr Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe Token: SeSecurityPrivilege 684 zoxexoub.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrzoxexoub.exezoxexoub.exedescription pid process target process PID 1936 wrote to memory of 1380 1936 Commercial Invoice & PL - TWNYC3469342.scr Commercial Invoice & PL - TWNYC3469342.scr PID 1936 wrote to memory of 1380 1936 Commercial Invoice & PL - TWNYC3469342.scr Commercial Invoice & PL - TWNYC3469342.scr PID 1936 wrote to memory of 1380 1936 Commercial Invoice & PL - TWNYC3469342.scr Commercial Invoice & PL - TWNYC3469342.scr PID 1936 wrote to memory of 1380 1936 Commercial Invoice & PL - TWNYC3469342.scr Commercial Invoice & PL - TWNYC3469342.scr PID 1380 wrote to memory of 1752 1380 Commercial Invoice & PL - TWNYC3469342.scr zoxexoub.exe PID 1380 wrote to memory of 1752 1380 Commercial Invoice & PL - TWNYC3469342.scr zoxexoub.exe PID 1380 wrote to memory of 1752 1380 Commercial Invoice & PL - TWNYC3469342.scr zoxexoub.exe PID 1380 wrote to memory of 1752 1380 Commercial Invoice & PL - TWNYC3469342.scr zoxexoub.exe PID 1752 wrote to memory of 684 1752 zoxexoub.exe zoxexoub.exe PID 1752 wrote to memory of 684 1752 zoxexoub.exe zoxexoub.exe PID 1752 wrote to memory of 684 1752 zoxexoub.exe zoxexoub.exe PID 1752 wrote to memory of 684 1752 zoxexoub.exe zoxexoub.exe PID 1380 wrote to memory of 1616 1380 Commercial Invoice & PL - TWNYC3469342.scr cmd.exe PID 1380 wrote to memory of 1616 1380 Commercial Invoice & PL - TWNYC3469342.scr cmd.exe PID 1380 wrote to memory of 1616 1380 Commercial Invoice & PL - TWNYC3469342.scr cmd.exe PID 1380 wrote to memory of 1616 1380 Commercial Invoice & PL - TWNYC3469342.scr cmd.exe PID 684 wrote to memory of 1132 684 zoxexoub.exe taskhost.exe PID 684 wrote to memory of 1132 684 zoxexoub.exe taskhost.exe PID 684 wrote to memory of 1132 684 zoxexoub.exe taskhost.exe PID 684 wrote to memory of 1132 684 zoxexoub.exe taskhost.exe PID 684 wrote to memory of 1132 684 zoxexoub.exe taskhost.exe PID 684 wrote to memory of 1208 684 zoxexoub.exe Dwm.exe PID 684 wrote to memory of 1208 684 zoxexoub.exe Dwm.exe PID 684 wrote to memory of 1208 684 zoxexoub.exe Dwm.exe PID 684 wrote to memory of 1208 684 zoxexoub.exe Dwm.exe PID 684 wrote to memory of 1208 684 zoxexoub.exe Dwm.exe PID 684 wrote to memory of 1260 684 zoxexoub.exe Explorer.EXE PID 684 wrote to memory of 1260 684 zoxexoub.exe Explorer.EXE PID 684 wrote to memory of 1260 684 zoxexoub.exe Explorer.EXE PID 684 wrote to memory of 1260 684 zoxexoub.exe Explorer.EXE PID 684 wrote to memory of 1260 684 zoxexoub.exe Explorer.EXE PID 684 wrote to memory of 624 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 624 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 624 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 624 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 624 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 1484 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 1484 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 1484 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 1484 684 zoxexoub.exe DllHost.exe PID 684 wrote to memory of 1484 684 zoxexoub.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb31b7973.bat"4⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpb31b7973.batMD5
ac6d1b4bd7ce78c7caa01cb1c888f9a4
SHA16fff71af28623b2d030bf74b5dad984759247981
SHA25620a27c9109a2fa1f9c9c8e2dfad32e49e90ec86e8f873c9c9a93f9d2ecb0c027
SHA512559f31a6065227e8e48192ab1d544980ac37ceb33f27256e4c784f8192c94cbc6048584132437a3b4b1d0a7b034f9fa40dd4579beeac13c808fe8d8a1895de15
-
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exeMD5
778dd6ab1748cb8d2c16265c0913e0f7
SHA16410133df71544f081157af2ee08b6fd381fa6d7
SHA256a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833
SHA5129848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b
-
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exeMD5
778dd6ab1748cb8d2c16265c0913e0f7
SHA16410133df71544f081157af2ee08b6fd381fa6d7
SHA256a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833
SHA5129848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b
-
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exeMD5
778dd6ab1748cb8d2c16265c0913e0f7
SHA16410133df71544f081157af2ee08b6fd381fa6d7
SHA256a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833
SHA5129848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b
-
\Users\Admin\AppData\Local\Temp\tmp18BE.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\tmp18DF.tmpMD5
9b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
\Users\Admin\AppData\Local\Temp\tmp3562.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\tmp3573.tmpMD5
9b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exeMD5
778dd6ab1748cb8d2c16265c0913e0f7
SHA16410133df71544f081157af2ee08b6fd381fa6d7
SHA256a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833
SHA5129848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b
-
\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exeMD5
778dd6ab1748cb8d2c16265c0913e0f7
SHA16410133df71544f081157af2ee08b6fd381fa6d7
SHA256a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833
SHA5129848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b
-
memory/624-18-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmpFilesize
2.5MB
-
memory/684-11-0x000000000043F4D4-mapping.dmp
-
memory/1380-0-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1380-2-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1380-1-0x000000000043F4D4-mapping.dmp
-
memory/1616-14-0x0000000000000000-mapping.dmp
-
memory/1752-7-0x0000000000000000-mapping.dmp