de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af

Analysis

max time kernel
62s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
Size

2.4MB
MD5

7d2dbf6ad8d7763686ed80f9b848a80d
SHA1

5df273a8a21877fb5ce123b42448fb1441f21a72
SHA256

de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af
SHA512

2f5baf5d2529be1e71bda0d351ca3784b9403606f8fb8138618201ece48e7adb339bce852fb7c38d79cdb8a44f56e08baf9271217968ba0b80ae9af8b39965f5
SSDEEP

49152:4UDBuqy4eO/QK6GhcbuR/2sKBvrxpt7fW7kuAhgtOSBrx7O3cxyV3:HDVOsQh9buRdwjx/b6tOS1xk7

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022f56-155.dat	acprotect
behavioral2/files/0x0006000000022f56-154.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4612	wzipstart.exe
4808	wzipstart.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f56-155.dat	upx
behavioral2/files/0x0006000000022f56-154.dat	upx
behavioral2/memory/4808-156-0x0000000010000000-0x0000000010105000-memory.dmp	upx
behavioral2/memory/4808-170-0x0000000010000000-0x000000001022A000-memory.dmp	upx
behavioral2/memory/4808-178-0x0000000010000000-0x000000001022A000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wzipstart.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wzipstart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe

Loads dropped DLL 5 IoCs

pid	Process
4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
4808	wzipstart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}	wzipstart.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Containers	wzipstart.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InProcServer32	wzipstart.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecs.dll"	wzipstart.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InProcServer32\ThreadingModel = "Both"	wzipstart.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:BF14D50A	wzipstart.exe
File opened for modification	C:\ProgramData\TEMP:BF14D50A	wzipstart.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4808	wzipstart.exe
Token: SeIncBasePriorityPrivilege	4808	wzipstart.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	wzipstart.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4612	4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe	78
PID 4484 wrote to memory of 4612	4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe	78
PID 4484 wrote to memory of 4612	4484	de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe	78
PID 4612 wrote to memory of 4808	4612	wzipstart.exe	79
PID 4612 wrote to memory of 4808	4612	wzipstart.exe	79
PID 4612 wrote to memory of 4808	4612	wzipstart.exe	79

C:\Users\Admin\AppData\Local\Temp\de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe
"C:\Users\Admin\AppData\Local\Temp\de0937810f9e6826cc5742e2a46ebf94030aa711b2e4c6dc0bfda6cf7122f2af.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe
  "C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe
    "C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsxC0C6.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC0C6.tmp\mForm.dll

Filesize
7KB

MD5
cb6bfbcb969f77ebf81f80dddffe731f

SHA1
c0519b6bbf4f27c3045696b71ef075626dddc799

SHA256
b4439ea17b671cc8da41e7d1965fbc1b2cc5bdbbafac8700eb493ddb5b78d682

SHA512
1e6bc3bd36c138f1765fdcfb16c11cc7aa3841fe63df3374c8278d64992dc3c40c9518a61b8ed287f720eff9073b17c192289902dd21f1a699afcdcf780f4210

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC0C6.tmp\mForm.dll

Filesize
7KB

MD5
cb6bfbcb969f77ebf81f80dddffe731f

SHA1
c0519b6bbf4f27c3045696b71ef075626dddc799

SHA256
b4439ea17b671cc8da41e7d1965fbc1b2cc5bdbbafac8700eb493ddb5b78d682

SHA512
1e6bc3bd36c138f1765fdcfb16c11cc7aa3841fe63df3374c8278d64992dc3c40c9518a61b8ed287f720eff9073b17c192289902dd21f1a699afcdcf780f4210

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC0C6.tmp\mForm.dll

Filesize
7KB

MD5
cb6bfbcb969f77ebf81f80dddffe731f

SHA1
c0519b6bbf4f27c3045696b71ef075626dddc799

SHA256
b4439ea17b671cc8da41e7d1965fbc1b2cc5bdbbafac8700eb493ddb5b78d682

SHA512
1e6bc3bd36c138f1765fdcfb16c11cc7aa3841fe63df3374c8278d64992dc3c40c9518a61b8ed287f720eff9073b17c192289902dd21f1a699afcdcf780f4210

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\a.htm

Filesize
11KB

MD5
6ecf1c1f8ec085abb0e78143aee594cd

SHA1
5d6cdd6c511cf7d4d2582340dcb8c7cf38a80240

SHA256
ca9783415d89fefd4dafb64f652d3864c2a8a254ba0292d1a234b2ec158d8167

SHA512
70dbe9a7a6b921471c6b8709b88ebe59697dcd53af8969f07c74106e879639c38f3a83e48ba24bdee701a20ac0f721672249e52ad1d0ab79045a5ebf1e7e1492

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\dir.png

Filesize
456B

MD5
68ba6211daa2d054918b026d798ffc88

SHA1
726d965043c16168c7f34f95f87ae912ad94e0a7

SHA256
e931973218fe42f3e43cf5018d190b37251c893ac37341c4ce4edcf125c96103

SHA512
7468869693e41fdc7a495830ddd00ebe15b24c66122e7165ea0a2bed2b9df7977dcb610b2b0f8982aa66c1c52a7f70735c4e12a68de80eea4f06b841ba1afb5e

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\dot.gif

Filesize
43B

MD5
325472601571f31e1bf00674c368d335

SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a

SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\foot.png

Filesize
39KB

MD5
f8af296fa33fac05f92e549bf53236ff

SHA1
766f4722f2710fddce430837d0d762a98202e53a

SHA256
71f72b0021fef95849567eaa915ffd904eca574fc3fafca7d69c0c75285b1072

SHA512
0f0df3fb43be53bfcebdd9e73096e227ea2fa7b5e5ac72d1388be3e7901bf9cbae6fa0e123211a44cd1fc260efc1681197e13976e869c9d4359c57f15cf586b8

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\htmlayout.dll

Filesize
850KB

MD5
6d86e3a49392da678589c3e5eb82f9f3

SHA1
b7325e2acbf6b2135e3602379a66c3b22247081b

SHA256
17713d3a76a1f4b8d31e80bfb4a1ff666750c413d28cd744419a0e2b108cd891

SHA512
0b616aa6a36513ab432203ba2276d5221234f11b89cd1b789a6cde0d282bac6e5a5a17af34073b061f9fb7b360a9853a32493b1aa120efd8ae94ba0bdaf44dec

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\htmlayout.dll

Filesize
850KB

MD5
6d86e3a49392da678589c3e5eb82f9f3

SHA1
b7325e2acbf6b2135e3602379a66c3b22247081b

SHA256
17713d3a76a1f4b8d31e80bfb4a1ff666750c413d28cd744419a0e2b108cd891

SHA512
0b616aa6a36513ab432203ba2276d5221234f11b89cd1b789a6cde0d282bac6e5a5a17af34073b061f9fb7b360a9853a32493b1aa120efd8ae94ba0bdaf44dec

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\logo.png

Filesize
95KB

MD5
64943706a4c5f038fd533bbac19c075f

SHA1
1807c1075e9df445399934c81265898c53b1c445

SHA256
90a31d523f63992f9881cf5d8072a556c667b1d2b350977795a35cae0421893d

SHA512
3fe1fbef492e3821836a4985be20aced0fc854869448445f545b3ea0239323e6a8193d08fda1de8a393e9e1b39e48098865a091907f1cbe24437b5b1db21df9b

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\logo2.png

Filesize
40KB

MD5
2868f99c3c7291679b5b7c09b201cd5b

SHA1
9e80372156290f6e92377aec8a64a3adaf290888

SHA256
ed97d7b4f4940226f87b3579d1e626bfc7119ad7c4c3b9e36224b9c074a19e07

SHA512
31454a6ca882da202ececa0be1b742c4674c9fcd847ca28e208c72a233ad3099d8006e696748448dfa6c164d10b0ea3e43489f1d301271e4b08e729ea3414430

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\rubashka.css

Filesize
9KB

MD5
e3c6678ec350644897a26eca58746857

SHA1
9b9717cd2c687a5c6c072bae57cfe748208e9139

SHA256
dc212eba2a2f8b98edd5b9e3124f5d5a15674ea5cf42d0d90783a825ef18ee6e

SHA512
339bedde1c8094bd94d8a4732502daeec64195995adbff737cb42981db326ed8041acd272e95a5494313905e948b6ac366a047003198c11f2fdec8f3376603f1

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-h-scroll-next.png

Filesize
120B

MD5
bb99aad46df5884042f16aade2860745

SHA1
5a026d15daec09a37a506e01165def15167cdf48

SHA256
154c5f934282eb914e4c663218f19c45eea929cef0c08df01a42ac3360dec4a8

SHA512
e2189e12b9a9c8e2b8fb69082cd46d8f3ec90902a0552c7dc62d59f35e73b1e522497c657668069704900823ff0c5c1e405a6fc8a8a329d1ef6ed22cd46cadaa

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-h-scroll-prev.png

Filesize
113B

MD5
d6dbbc3b47474b8b61b243230b025383

SHA1
fc0ff69e98a4d94b97437aecfe3825d54af1004d

SHA256
23da351af0fa7e04d5ec8ae02dcf285d3c1f97770af7f84a7d2eeb55f52f4487

SHA512
3ec484047c9956b41fba853bc545cc0dc7ad935c8584baf3f34cd1a8379b2c5f3de77eee55ddd014ceff7df73da6ad8a59759386f5af6a261c5ea83e993fa9df

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-scroll-back.png

Filesize
277B

MD5
7ff178f83f1ee1bd4309b80a82c09698

SHA1
508fc15af86d27e93085cdc0256cf76ac8d4ad9c

SHA256
ac01f2290c1d09eb546f182ac8f58f4933782d3b9e6653fb32f4454eee853bc9

SHA512
0e7a9a271241ae3d99adcc05891a8f0d04fa49d4e9cbaa566e6e4ab921be24b53ccb1dd7b64a9c4069498e2c39caedde21d57b6965ee4b44f5f5cf146631461b

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-scroll-base.png

Filesize
116B

MD5
8f4e12d9272ea9f17473ab2d63ab257b

SHA1
6878bf64bb70151a9366adf4a97e0c24d34b89bf

SHA256
2a72fd67532466105252cb4d136f7ccd68eceaf9d0d5e47da23b1e0cf257d039

SHA512
2443eb8c4319f2705dc1e3ededf098979512bd739bf4d63c28f0f4e47896f0b99f710af9369fef7e61757eca1b9109e4633fb48c10548954b837d61abbde721f

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-scroll-slider.png

Filesize
107B

MD5
9b021c963ba2c0c30aa874253d7ee592

SHA1
32d3dfb7860b0f39e5fae381f3f430cf846136b1

SHA256
8229e7a2f584a49b9b46e1036921b23d501885b44cf3991a56f53f6429536787

SHA512
b3615a76d11649efa693cf38aef9dd87c3c30a8fa7e35b402ec141a20f3a7a33c96b2578d036b3bda981aed6b0431b5256f2fad26bdf89ab80ac90b3819d270e

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-v-scroll-next.png

Filesize
117B

MD5
752458771c868c972f3dc81703985ed4

SHA1
c2621e550dcd6252367f7e6c8b02ea8cf36034eb

SHA256
933a98b32a7b33df88de736aea6c05b799037e464f4fd3094a2b69dfc58cb2c6

SHA512
46c1c9847ee7208a7bf3a360629a1caa98d10450bef682f816949f08452903a1794f18aa3ba31ba39a292aa6b674196e81037f63255bc73cd58f48d80df90609

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\sb-v-scroll-prev.png

Filesize
112B

MD5
fddda771f7fb9f9757eacfc84bc62df2

SHA1
9a0f7e478d6ee1abd5800d5a03886edfa16e7d22

SHA256
184c5d577d53c480fd201a45012b4e8a7a89ff6b3f3fdb8c2b097ac746cb9966

SHA512
307c351815de9213d951cd6c93c618afda343011728e4558e57fb0b421e7a5fd8a416df9979d9bdf1568d1a86bf450270dfa6806fa763e29c024db692ce04dc5

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\scroll.css

Filesize
2KB

MD5
2a0f3375097fffa8713e1dc58199bb15

SHA1
20fc1212036bccc2a6ffbf126202701fa3008723

SHA256
d71970f8161b83dc7c4ac43c6258550f612a496aadc3a076ccd7bd587ae26eeb

SHA512
1779ef5b3781b9b98890812339967b96e15f9ade5728ac174b8a1b41f2d1ee3ed84fde0edf5e4bbbd02aa1a2cc02cb02edbc2c2573e359ab2ae6677998a8e326

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\wfont.ttf

Filesize
295KB

MD5
86642b7cdddbdb7a084ce0cd43d3facb

SHA1
92d3c9239747fe0ba20e519dbc618e9f0ab2de0d

SHA256
1cd1ed92dff6d44a889073bb685ed6fe1ef195a93d23366ff628ce09af87756c

SHA512
1cdd3c1907a3e2f7a75250f43ed85d7611d1fa8b40d028c5c2bbe3009a6ab426fc5767004728732f5ce1c38b77dacbb963bdbe3527a9f8e1aff5b60ae48b093b

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe

Filesize
1.2MB

MD5
d46a23f2600589df21022134d5bd120e

SHA1
0d6ca18f4c95d415d7dd0d160ac0c2fc7ed5a5ce

SHA256
db218335d11ea6a0c0822f084551a76de7780b6b54255ce5dcbdde1edde45f0c

SHA512
af5f07f573dd36e0533b90e739ada401c88d23105cbd0e08fdcad59547176b70d296475482b5fd99bceb6d100180f5cdf521b668dc6a5707f317f4954d4c2699

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe

Filesize
1.2MB

MD5
d46a23f2600589df21022134d5bd120e

SHA1
0d6ca18f4c95d415d7dd0d160ac0c2fc7ed5a5ce

SHA256
db218335d11ea6a0c0822f084551a76de7780b6b54255ce5dcbdde1edde45f0c

SHA512
af5f07f573dd36e0533b90e739ada401c88d23105cbd0e08fdcad59547176b70d296475482b5fd99bceb6d100180f5cdf521b668dc6a5707f317f4954d4c2699

Download Submit
C:\Users\Admin\AppData\Roaming\winzipsoft\wzipstart.exe

Filesize
1.2MB

MD5
d46a23f2600589df21022134d5bd120e

SHA1
0d6ca18f4c95d415d7dd0d160ac0c2fc7ed5a5ce

SHA256
db218335d11ea6a0c0822f084551a76de7780b6b54255ce5dcbdde1edde45f0c

SHA512
af5f07f573dd36e0533b90e739ada401c88d23105cbd0e08fdcad59547176b70d296475482b5fd99bceb6d100180f5cdf521b668dc6a5707f317f4954d4c2699

Download Submit
memory/4612-142-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4612-176-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-156-0x0000000010000000-0x0000000010105000-memory.dmp

Filesize
1.0MB

Download
memory/4808-151-0x00000000022C1000-0x0000000002383000-memory.dmp

Filesize
776KB

Download
memory/4808-157-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-170-0x0000000010000000-0x000000001022A000-memory.dmp

Filesize
2.2MB

Download
memory/4808-158-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-144-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-145-0x00000000022C0000-0x00000000023C5000-memory.dmp

Filesize
1.0MB

Download
memory/4808-175-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-152-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-153-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4808-178-0x0000000010000000-0x000000001022A000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads