2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Commercial Invoice & PL - TWNYC3469342.scr
Size

787KB
MD5

cc41e556572c9bf5ba045f89198f7b98
SHA1

47f2431463872774d27e3ce89999bc69b0fdab2f
SHA256

2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
SHA512

72391718a6e316bf8e72a2f2dfb4b5d889034c2300307562d4548ef6be896632eb23f0203f69c2b93a01bdb154ce8ba2512b0bc4aa832acea028f6d283428525

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zoxexoub.exezoxexoub.exe

pid process

1752 zoxexoub.exe
684 zoxexoub.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1616 cmd.exe

pid	process
1752	zoxexoub.exe
684	zoxexoub.exe

pid	process
1616	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exe

pid	process
1380	Commercial Invoice & PL - TWNYC3469342.scr
1380	Commercial Invoice & PL - TWNYC3469342.scr
1380	Commercial Invoice & PL - TWNYC3469342.scr
1380	Commercial Invoice & PL - TWNYC3469342.scr
684	zoxexoub.exe
684	zoxexoub.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zoxexoub.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Currentversion\Run	zoxexoub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ymigdobox = "C:\\Users\\Admin\\AppData\\Roaming\\Tigeanaba\\zoxexoub.exe"	zoxexoub.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	zoxexoub.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exe

description	pid	process	target process
PID 1936 set thread context of 1380	1936	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 1752 set thread context of 684	1752	zoxexoub.exe	zoxexoub.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrzoxexoub.exezoxexoub.exe

pid	process
1936	Commercial Invoice & PL - TWNYC3469342.scr
1380	Commercial Invoice & PL - TWNYC3469342.scr
1752	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe
684	zoxexoub.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exe

pid process

1936 Commercial Invoice & PL - TWNYC3469342.scr
1752 zoxexoub.exe

Suspicious use of AdjustPrivilegeToken 940 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrzoxexoub.exe

description	pid	process
Token: SeSecurityPrivilege	1380	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	1380	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	1380	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	1380	Commercial Invoice & PL - TWNYC3469342.scr
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe
Token: SeSecurityPrivilege	684	zoxexoub.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

Commercial Invoice & PL - TWNYC3469342.scrCommercial Invoice & PL - TWNYC3469342.scrzoxexoub.exezoxexoub.exe

description	pid	process	target process
PID 1936 wrote to memory of 1380	1936	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 1936 wrote to memory of 1380	1936	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 1936 wrote to memory of 1380	1936	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 1936 wrote to memory of 1380	1936	Commercial Invoice & PL - TWNYC3469342.scr	Commercial Invoice & PL - TWNYC3469342.scr
PID 1380 wrote to memory of 1752	1380	Commercial Invoice & PL - TWNYC3469342.scr	zoxexoub.exe
PID 1380 wrote to memory of 1752	1380	Commercial Invoice & PL - TWNYC3469342.scr	zoxexoub.exe
PID 1380 wrote to memory of 1752	1380	Commercial Invoice & PL - TWNYC3469342.scr	zoxexoub.exe
PID 1380 wrote to memory of 1752	1380	Commercial Invoice & PL - TWNYC3469342.scr	zoxexoub.exe
PID 1752 wrote to memory of 684	1752	zoxexoub.exe	zoxexoub.exe
PID 1752 wrote to memory of 684	1752	zoxexoub.exe	zoxexoub.exe
PID 1752 wrote to memory of 684	1752	zoxexoub.exe	zoxexoub.exe
PID 1752 wrote to memory of 684	1752	zoxexoub.exe	zoxexoub.exe
PID 1380 wrote to memory of 1616	1380	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 1380 wrote to memory of 1616	1380	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 1380 wrote to memory of 1616	1380	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 1380 wrote to memory of 1616	1380	Commercial Invoice & PL - TWNYC3469342.scr	cmd.exe
PID 684 wrote to memory of 1132	684	zoxexoub.exe	taskhost.exe
PID 684 wrote to memory of 1132	684	zoxexoub.exe	taskhost.exe
PID 684 wrote to memory of 1132	684	zoxexoub.exe	taskhost.exe
PID 684 wrote to memory of 1132	684	zoxexoub.exe	taskhost.exe
PID 684 wrote to memory of 1132	684	zoxexoub.exe	taskhost.exe
PID 684 wrote to memory of 1208	684	zoxexoub.exe	Dwm.exe
PID 684 wrote to memory of 1208	684	zoxexoub.exe	Dwm.exe
PID 684 wrote to memory of 1208	684	zoxexoub.exe	Dwm.exe
PID 684 wrote to memory of 1208	684	zoxexoub.exe	Dwm.exe
PID 684 wrote to memory of 1208	684	zoxexoub.exe	Dwm.exe
PID 684 wrote to memory of 1260	684	zoxexoub.exe	Explorer.EXE
PID 684 wrote to memory of 1260	684	zoxexoub.exe	Explorer.EXE
PID 684 wrote to memory of 1260	684	zoxexoub.exe	Explorer.EXE
PID 684 wrote to memory of 1260	684	zoxexoub.exe	Explorer.EXE
PID 684 wrote to memory of 1260	684	zoxexoub.exe	Explorer.EXE
PID 684 wrote to memory of 624	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 624	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 624	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 624	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 624	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 1484	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 1484	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 1484	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 1484	684	zoxexoub.exe	DllHost.exe
PID 684 wrote to memory of 1484	684	zoxexoub.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr
"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr
"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice & PL - TWNYC3469342.scr" /S
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
"C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
"C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb31b7973.bat"
4⤵
- Deletes itself
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb31b7973.bat
MD5
ac6d1b4bd7ce78c7caa01cb1c888f9a4

SHA1
6fff71af28623b2d030bf74b5dad984759247981

SHA256
20a27c9109a2fa1f9c9c8e2dfad32e49e90ec86e8f873c9c9a93f9d2ecb0c027

SHA512
559f31a6065227e8e48192ab1d544980ac37ceb33f27256e4c784f8192c94cbc6048584132437a3b4b1d0a7b034f9fa40dd4579beeac13c808fe8d8a1895de15

Download Submit
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
MD5
778dd6ab1748cb8d2c16265c0913e0f7

SHA1
6410133df71544f081157af2ee08b6fd381fa6d7

SHA256
a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833

SHA512
9848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
MD5
778dd6ab1748cb8d2c16265c0913e0f7

SHA1
6410133df71544f081157af2ee08b6fd381fa6d7

SHA256
a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833

SHA512
9848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
MD5
778dd6ab1748cb8d2c16265c0913e0f7

SHA1
6410133df71544f081157af2ee08b6fd381fa6d7

SHA256
a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833

SHA512
9848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp18BE.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\tmp18DF.tmp
MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3562.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3573.tmp
MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
MD5
778dd6ab1748cb8d2c16265c0913e0f7

SHA1
6410133df71544f081157af2ee08b6fd381fa6d7

SHA256
a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833

SHA512
9848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b

Download Submit
\Users\Admin\AppData\Roaming\Tigeanaba\zoxexoub.exe
MD5
778dd6ab1748cb8d2c16265c0913e0f7

SHA1
6410133df71544f081157af2ee08b6fd381fa6d7

SHA256
a45b7b33a9dcce52ec940152beac8a266c959d260b9442562a1504fbded00833

SHA512
9848c04cae6ef2216c345f5a0f8f8b2d785ae59c853b878d908905c1064cc581bbecddb7052cf97f83e8c49cca6cdaa6f4bc938e5e29416aace1d2bdec5c1c6b

Download Submit
memory/624-18-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download
memory/684-11-0x000000000043F4D4-mapping.dmp

Download
memory/1380-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1380-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1380-1-0x000000000043F4D4-mapping.dmp

Download
memory/1616-14-0x0000000000000000-mapping.dmp

Download
memory/1752-7-0x0000000000000000-mapping.dmp

Download