a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
Size

237KB
MD5

1279f64083b527a9a88286001fa40060
SHA1

c8c0f194260bc32d8d69e79fe2560116712c3add
SHA256

a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec
SHA512

443601a3075105a42ff93e0b05dd6aa620f5cab223f4603e103eda2640fc3d820a12911f65a50fc09d27a9cffb12570c93cf8e0833321fb8932e132df9f50fb6
SSDEEP

3072:s5CwNbNuyNGJYKBKXBiwwd0nj8FG0tQkBXE7Hn1Joc:YNbIXJYKBkBiwwI8FrtNBXiHD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4548	Znukaa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Znukaa.exe	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
File opened for modification	C:\Windows\Znukaa.exe	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Znukaa.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Znukaa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	Znukaa.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International	Znukaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe
4548	Znukaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3040	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
4548	Znukaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
4548	Znukaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4548	3040	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe	82
PID 3040 wrote to memory of 4548	3040	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe	82
PID 3040 wrote to memory of 4548	3040	a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe	82

C:\Users\Admin\AppData\Local\Temp\a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe
"C:\Users\Admin\AppData\Local\Temp\a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Znukaa.exe
  C:\Windows\Znukaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
426B

MD5
911667958afa40307f2df8320a61685e

SHA1
2e177febf87b99a3472e5d14f151e3990b0aad76

SHA256
b15fd0c0ec24b9a70c23ea2a8c6e1aabd9a2415ddd55faaaaee5a5b22d4a5d24

SHA512
18ab7cbea7439a11b32e0cc0e752e3b0b1669dd18d5570a4aac5489d9fd8c07a72840a10219266bfa3564fb04dbe34cf44f35bdd97266d5bc9198a0d1d6f8704

Download Submit
C:\Windows\Znukaa.exe

Filesize
237KB

MD5
1279f64083b527a9a88286001fa40060

SHA1
c8c0f194260bc32d8d69e79fe2560116712c3add

SHA256
a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec

SHA512
443601a3075105a42ff93e0b05dd6aa620f5cab223f4603e103eda2640fc3d820a12911f65a50fc09d27a9cffb12570c93cf8e0833321fb8932e132df9f50fb6

Download Submit
C:\Windows\Znukaa.exe

Filesize
237KB

MD5
1279f64083b527a9a88286001fa40060

SHA1
c8c0f194260bc32d8d69e79fe2560116712c3add

SHA256
a512461da21091e013406a643a00cd9f5edd1d6e50a9734790b87e583ffec8ec

SHA512
443601a3075105a42ff93e0b05dd6aa620f5cab223f4603e103eda2640fc3d820a12911f65a50fc09d27a9cffb12570c93cf8e0833321fb8932e132df9f50fb6

Download Submit
memory/3040-132-0x0000000002A90000-0x0000000002AAA000-memory.dmp

Filesize
104KB

Download
memory/3040-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download