c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1

Analysis

max time kernel
152s
max time network
80s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
Size

228KB
MD5

64f71d48982c65a907dc40199cf1557a
SHA1

7ec5ac5ff1caf8d3b1f7a348c069353aad41dcd6
SHA256

c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1
SHA512

aa2fca0d979ae3bac8f7beec2ebc89709ef5b7906eaaa622c5528565e7e6afd5ad57a0914e7ad4d39ce87719db0fbdb23d9a8ef6442d53f5e90a34972afb68d7
SSDEEP

3072:6gEty/i5UYJVFV5eDQHsuvNA05Vqtto24VmcZMUuXi46qndrAxIbYpWv:oy+3JrLeDQHr+uV0to24VmlUuSvqdl

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mzral.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	mzral.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /J"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /E"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /W"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /C"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /d"	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /X"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /l"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /V"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /T"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /g"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /e"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /G"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /j"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /i"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /z"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /s"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /U"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /m"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /D"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /u"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /k"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /q"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /M"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /c"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /Z"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /S"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /y"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /H"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /B"	mzral.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /R"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /K"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /Q"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /O"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /L"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /t"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /v"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /A"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /p"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /x"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /a"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /I"	mzral.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /r"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /N"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /h"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /d"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /n"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /Y"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /b"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /F"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /w"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /P"	mzral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mzral = "C:\\Users\\Admin\\mzral.exe /f"	mzral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe
1316	mzral.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
1316	mzral.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1316	1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe	26
PID 1928 wrote to memory of 1316	1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe	26
PID 1928 wrote to memory of 1316	1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe	26
PID 1928 wrote to memory of 1316	1928	c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe	26

C:\Users\Admin\AppData\Local\Temp\c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe
"C:\Users\Admin\AppData\Local\Temp\c9a23374473a464d9008c9e9a0006faaa4c9d09e22f2e472935d32c4d95ee9d1.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\mzral.exe
  "C:\Users\Admin\mzral.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mzral.exe

Filesize
228KB

MD5
1daca7fdfb547322ca3f1e77341822b4

SHA1
f78c751fe6633d9264375b544637aaa7814eaa69

SHA256
f94d4f32ffc26342dcc9f5040504b4fb3861a807d6891cf471663c2b4118c1ea

SHA512
7e3956a166fcc4afe11fd3b45c867a7c70a2840f5daa0dda3b7659ae125b12398431f80fc22098494cce548a8e4355c5ab27efef8a92981b69792d7d4e9dbdf6

Download Submit
C:\Users\Admin\mzral.exe

Filesize
228KB

MD5
1daca7fdfb547322ca3f1e77341822b4

SHA1
f78c751fe6633d9264375b544637aaa7814eaa69

SHA256
f94d4f32ffc26342dcc9f5040504b4fb3861a807d6891cf471663c2b4118c1ea

SHA512
7e3956a166fcc4afe11fd3b45c867a7c70a2840f5daa0dda3b7659ae125b12398431f80fc22098494cce548a8e4355c5ab27efef8a92981b69792d7d4e9dbdf6

Download Submit
\Users\Admin\mzral.exe

Filesize
228KB

MD5
1daca7fdfb547322ca3f1e77341822b4

SHA1
f78c751fe6633d9264375b544637aaa7814eaa69

SHA256
f94d4f32ffc26342dcc9f5040504b4fb3861a807d6891cf471663c2b4118c1ea

SHA512
7e3956a166fcc4afe11fd3b45c867a7c70a2840f5daa0dda3b7659ae125b12398431f80fc22098494cce548a8e4355c5ab27efef8a92981b69792d7d4e9dbdf6

Download Submit
\Users\Admin\mzral.exe

Filesize
228KB

MD5
1daca7fdfb547322ca3f1e77341822b4

SHA1
f78c751fe6633d9264375b544637aaa7814eaa69

SHA256
f94d4f32ffc26342dcc9f5040504b4fb3861a807d6891cf471663c2b4118c1ea

SHA512
7e3956a166fcc4afe11fd3b45c867a7c70a2840f5daa0dda3b7659ae125b12398431f80fc22098494cce548a8e4355c5ab27efef8a92981b69792d7d4e9dbdf6

Download Submit
memory/1316-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1928-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1928-57-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-65-0x0000000002D10000-0x0000000002D4A000-memory.dmp

Filesize
232KB

Download
memory/1928-66-0x0000000002D10000-0x0000000002D4A000-memory.dmp

Filesize
232KB

Download
memory/1928-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download