395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6

General

Target

395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
Size

440KB
MD5

4a8d3539c3078a16c93c766fef28c605
SHA1

6da0d3b40762f46486f1b989548fdf9d777fc894
SHA256

395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6
SHA512

a3124ee40d95c8673e0cbcacd12b2af453f3b6a1a51e494344c822dee47fce97970b0cf0ee31767dee31682b4f017b32f651ff2486cc3ea6586dad14dbbcdef8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1452	svchost.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zgzob\svchost.exe	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
1452	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1796	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1452	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	26
PID 1944 wrote to memory of 1452	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	26
PID 1944 wrote to memory of 1452	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	26
PID 1944 wrote to memory of 1452	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	26
PID 1944 wrote to memory of 1908	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	27
PID 1944 wrote to memory of 1908	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	27
PID 1944 wrote to memory of 1908	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	27
PID 1944 wrote to memory of 1908	1944	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	27
PID 1908 wrote to memory of 1796	1908	cmd.exe	29
PID 1908 wrote to memory of 1796	1908	cmd.exe	29
PID 1908 wrote to memory of 1796	1908	cmd.exe	29
PID 1908 wrote to memory of 1796	1908	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
"C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\zgzob\svchost.exe
  C:\Windows\system32\\zgzob\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 >nul&del/f/s/q "C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-59-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing