Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
6b699598_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6b699598_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
6b699598_by_Libranalysis.exe
-
Size
231KB
-
MD5
6b699598d9b88107f16ea4977a39dd2c
-
SHA1
28ae2c9fe6ae8ca1e891d32094e159684363cef1
-
SHA256
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
-
SHA512
668ca675242b843f7781df225c4156b2b7722b7f7a5afe9233e45ff587546ac5d35f282f43fc518228ae7591290f4bb0da5aada839bcfe1ee255f98c694d0050
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 5 IoCs
Processes:
6b699598_by_Libranalysis.exeZEI.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\odt\\BCGR.EXE \"%1\" %*" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open ZEI.EXE -
Processes:
resource yara_rule C:\$Recycle.Bin\ZEI.EXE aspack_v212_v242 C:\$Recycle.Bin\ZEI.EXE aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
ZEI.EXEpid process 1264 ZEI.EXE -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
6b699598_by_Libranalysis.exeZEI.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZHY.EXE = "C:\\Users\\DYWVLVO.EXE" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ZEI.EXE -
Enumerates connected drives 3 TTPs 36 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ZEI.EXE6b699598_by_Libranalysis.exedescription ioc process File opened (read-only) \??\P: ZEI.EXE File opened (read-only) \??\N: 6b699598_by_Libranalysis.exe File opened (read-only) \??\S: 6b699598_by_Libranalysis.exe File opened (read-only) \??\J: ZEI.EXE File opened (read-only) \??\N: ZEI.EXE File opened (read-only) \??\E: 6b699598_by_Libranalysis.exe File opened (read-only) \??\F: ZEI.EXE File opened (read-only) \??\V: ZEI.EXE File opened (read-only) \??\Q: ZEI.EXE File opened (read-only) \??\K: 6b699598_by_Libranalysis.exe File opened (read-only) \??\L: 6b699598_by_Libranalysis.exe File opened (read-only) \??\U: 6b699598_by_Libranalysis.exe File opened (read-only) \??\H: ZEI.EXE File opened (read-only) \??\J: 6b699598_by_Libranalysis.exe File opened (read-only) \??\T: 6b699598_by_Libranalysis.exe File opened (read-only) \??\O: ZEI.EXE File opened (read-only) \??\T: ZEI.EXE File opened (read-only) \??\U: ZEI.EXE File opened (read-only) \??\Q: 6b699598_by_Libranalysis.exe File opened (read-only) \??\R: 6b699598_by_Libranalysis.exe File opened (read-only) \??\I: ZEI.EXE File opened (read-only) \??\L: ZEI.EXE File opened (read-only) \??\R: ZEI.EXE File opened (read-only) \??\M: 6b699598_by_Libranalysis.exe File opened (read-only) \??\O: 6b699598_by_Libranalysis.exe File opened (read-only) \??\P: 6b699598_by_Libranalysis.exe File opened (read-only) \??\E: ZEI.EXE File opened (read-only) \??\G: 6b699598_by_Libranalysis.exe File opened (read-only) \??\G: ZEI.EXE File opened (read-only) \??\M: ZEI.EXE File opened (read-only) \??\S: ZEI.EXE File opened (read-only) \??\K: ZEI.EXE File opened (read-only) \??\F: 6b699598_by_Libranalysis.exe File opened (read-only) \??\H: 6b699598_by_Libranalysis.exe File opened (read-only) \??\I: 6b699598_by_Libranalysis.exe File opened (read-only) \??\V: 6b699598_by_Libranalysis.exe -
Drops file in Program Files directory 1 IoCs
Processes:
ZEI.EXEdescription ioc process File created C:\Program Files (x86)\FXCMEM.EXE ZEI.EXE -
Modifies registry class 38 IoCs
Processes:
6b699598_by_Libranalysis.exeZEI.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\$Recycle.Bin\\STN.EXE \"%1\"" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile ZEI.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\BCJIBWC.EXE \"%1\"" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell ZEI.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\System Volume Information\\SSCSLNG.EXE %1" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 6b699598_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\odt\\BCGR.EXE \"%1\" %*" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell ZEI.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open ZEI.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\odt\\GTEG.EXE %1" 6b699598_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6b699598_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6b699598_by_Libranalysis.exedescription pid process target process PID 2188 wrote to memory of 1264 2188 6b699598_by_Libranalysis.exe ZEI.EXE PID 2188 wrote to memory of 1264 2188 6b699598_by_Libranalysis.exe ZEI.EXE PID 2188 wrote to memory of 1264 2188 6b699598_by_Libranalysis.exe ZEI.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b699598_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\6b699598_by_Libranalysis.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\$Recycle.Bin\ZEI.EXEC:\$Recycle.Bin\ZEI.EXE2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\ZEI.EXEMD5
2e758783d957f08b78f4a4228766e1e8
SHA182896f31420ef844a303155b8775d6b531c756b4
SHA256de8bd08c6142a68f2d1c6e2e5fc3c7f71aa62a9b305e5ec39049e6be0e52f851
SHA512b2f08ed973bab2669067a3c4314e01f547d693897066e49127195fa39a499829d6912d211b7d9b62f910ca6ac5f4108ad1d4a970b75ac149804c7a01f74d492b
-
C:\$Recycle.Bin\ZEI.EXEMD5
2e758783d957f08b78f4a4228766e1e8
SHA182896f31420ef844a303155b8775d6b531c756b4
SHA256de8bd08c6142a68f2d1c6e2e5fc3c7f71aa62a9b305e5ec39049e6be0e52f851
SHA512b2f08ed973bab2669067a3c4314e01f547d693897066e49127195fa39a499829d6912d211b7d9b62f910ca6ac5f4108ad1d4a970b75ac149804c7a01f74d492b
-
memory/1264-114-0x0000000000000000-mapping.dmp
-
memory/1264-118-0x0000000000580000-0x00000000006CA000-memory.dmpFilesize
1.3MB
-
memory/2188-117-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB