dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
Size

341KB
MD5

13d33a9ff6c77a3b7d08a4557d0a5e67
SHA1

78adf14b76c5f6ed6f94172ae1ea9ff756d65776
SHA256

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7
SHA512

00dcb19ac270b06914c35e38f467bd49d4f3829f74f4d98e1c2af7e6c73e43eff7613127b483653b6d35d2d4aa3ed64a8c0e562a1542786db6493df0faf016b8
SSDEEP

6144:bLwrTiWBUMLRr4ruCg4b4m+HSyD3YxHQnkcJFo9FR0YxlHA/7:bLwrTiqBLR0uFkrW3sHdcJFGFRPHs7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zuato.exe

pid process

1272 zuato.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

616 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe

pid process

836 dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe

pid	process
1272	zuato.exe

pid	process
616	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zuato.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	zuato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zuato = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Quosy\\zuato.exe"	zuato.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe

description pid process target process

PID 836 set thread context of 616 836 dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe cmd.exe

description	pid	process	target process
PID 836 set thread context of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exezuato.exe

pid	process
836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe
1272	zuato.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exezuato.exe

description	pid	process	target process
PID 836 wrote to memory of 1272	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	zuato.exe
PID 836 wrote to memory of 1272	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	zuato.exe
PID 836 wrote to memory of 1272	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	zuato.exe
PID 836 wrote to memory of 1272	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	zuato.exe
PID 1272 wrote to memory of 1228	1272	zuato.exe	taskhost.exe
PID 1272 wrote to memory of 1228	1272	zuato.exe	taskhost.exe
PID 1272 wrote to memory of 1228	1272	zuato.exe	taskhost.exe
PID 1272 wrote to memory of 1228	1272	zuato.exe	taskhost.exe
PID 1272 wrote to memory of 1228	1272	zuato.exe	taskhost.exe
PID 1272 wrote to memory of 1316	1272	zuato.exe	Dwm.exe
PID 1272 wrote to memory of 1316	1272	zuato.exe	Dwm.exe
PID 1272 wrote to memory of 1316	1272	zuato.exe	Dwm.exe
PID 1272 wrote to memory of 1316	1272	zuato.exe	Dwm.exe
PID 1272 wrote to memory of 1316	1272	zuato.exe	Dwm.exe
PID 1272 wrote to memory of 1352	1272	zuato.exe	Explorer.EXE
PID 1272 wrote to memory of 1352	1272	zuato.exe	Explorer.EXE
PID 1272 wrote to memory of 1352	1272	zuato.exe	Explorer.EXE
PID 1272 wrote to memory of 1352	1272	zuato.exe	Explorer.EXE
PID 1272 wrote to memory of 1352	1272	zuato.exe	Explorer.EXE
PID 1272 wrote to memory of 836	1272	zuato.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 1272 wrote to memory of 836	1272	zuato.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 1272 wrote to memory of 836	1272	zuato.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 1272 wrote to memory of 836	1272	zuato.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 1272 wrote to memory of 836	1272	zuato.exe	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 836 wrote to memory of 616	836	dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe	cmd.exe
PID 1272 wrote to memory of 1200	1272	zuato.exe	conhost.exe
PID 1272 wrote to memory of 1200	1272	zuato.exe	conhost.exe
PID 1272 wrote to memory of 1200	1272	zuato.exe	conhost.exe
PID 1272 wrote to memory of 1200	1272	zuato.exe	conhost.exe
PID 1272 wrote to memory of 1200	1272	zuato.exe	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe
"C:\Users\Admin\AppData\Local\Temp\dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\Quosy\zuato.exe
"C:\Users\Admin\AppData\Local\Temp\Quosy\zuato.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZB70EC.bat"
3⤵
- Deletes itself
PID:616

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1377475999838651538-16041656851852331524-1107243486-272541279-247004355-1491403262"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Quosy\zuato.exe

Filesize
341KB

MD5
1028c9141b0989662b7eb80318b98337

SHA1
2eec8e0bfcea77260675733c2c4e5893573831a7

SHA256
41c0d56a0becbe920308278e0c53a158cce0e040f4c42f5ab027c3b219f0b0f1

SHA512
77af81b1a84e03c70f37c551b9036dd35580f1dd8af59066d44424165fe1cec502f3f80236d10ef63c47e173d0f97b42dddcccd4256f4f4d15dc9a670dd4704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quosy\zuato.exe

Filesize
341KB

MD5
1028c9141b0989662b7eb80318b98337

SHA1
2eec8e0bfcea77260675733c2c4e5893573831a7

SHA256
41c0d56a0becbe920308278e0c53a158cce0e040f4c42f5ab027c3b219f0b0f1

SHA512
77af81b1a84e03c70f37c551b9036dd35580f1dd8af59066d44424165fe1cec502f3f80236d10ef63c47e173d0f97b42dddcccd4256f4f4d15dc9a670dd4704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZB70EC.bat

Filesize
274B

MD5
73c029b87eb657ab983ff8b0b351b5b3

SHA1
149e8581e21eee3c4207e5accd115e1f6840bb16

SHA256
8a085e21a8fffa0368d359c93af7d7a0b516a353ddf3abad51436c3642446794

SHA512
e27ea65e07aeb449cde3bb6447b0a4305dc418f29de70447d5de59af6b33e80428beeb7a1056b304b16fb570cdbeaf3b63e866dee8fe2577414135bb0b02e7d0

Download Submit
\Users\Admin\AppData\Local\Temp\Quosy\zuato.exe

Filesize
341KB

MD5
1028c9141b0989662b7eb80318b98337

SHA1
2eec8e0bfcea77260675733c2c4e5893573831a7

SHA256
41c0d56a0becbe920308278e0c53a158cce0e040f4c42f5ab027c3b219f0b0f1

SHA512
77af81b1a84e03c70f37c551b9036dd35580f1dd8af59066d44424165fe1cec502f3f80236d10ef63c47e173d0f97b42dddcccd4256f4f4d15dc9a670dd4704b

Download Submit
memory/616-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-117-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/616-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-99-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/616-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/616-102-0x0000000000075D23-mapping.dmp

Download
memory/616-96-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/616-100-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/836-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-55-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/836-86-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/836-85-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/836-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/836-87-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/836-84-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/836-101-0x0000000000050000-0x00000000000D3000-memory.dmp

Filesize
524KB

Download
memory/836-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/836-56-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1200-116-0x0000000000110000-0x0000000000152000-memory.dmp

Filesize
264KB

Download
memory/1200-115-0x0000000000110000-0x0000000000152000-memory.dmp

Filesize
264KB

Download
memory/1200-113-0x0000000000110000-0x0000000000152000-memory.dmp

Filesize
264KB

Download
memory/1200-114-0x0000000000110000-0x0000000000152000-memory.dmp

Filesize
264KB

Download
memory/1228-66-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1228-68-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1228-67-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1228-64-0x0000000001BA0000-0x0000000001BE2000-memory.dmp

Filesize
264KB

Download
memory/1272-58-0x0000000000000000-mapping.dmp

Download
memory/1316-72-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1316-73-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1316-74-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1316-75-0x0000000001AC0000-0x0000000001B02000-memory.dmp

Filesize
264KB

Download
memory/1352-81-0x0000000002A20000-0x0000000002A62000-memory.dmp

Filesize
264KB

Download
memory/1352-78-0x0000000002A20000-0x0000000002A62000-memory.dmp

Filesize
264KB

Download
memory/1352-79-0x0000000002A20000-0x0000000002A62000-memory.dmp

Filesize
264KB

Download
memory/1352-80-0x0000000002A20000-0x0000000002A62000-memory.dmp

Filesize
264KB

Download