1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Size

1.8MB
MD5

6bf94b8f289fd9ae2527e04797c0b316
SHA1

4197f2fde26297726daf4691df0e995f6621cea4
SHA256

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62
SHA512

430b6d6a7591deb73ee3823e940fa6d203291ec1f7ec9c535e8c66e657932ac875a4b077b6661ce27ac21d97672edf8468917c6103392996fd8ea463f57f419b
SSDEEP

49152:J8RgpKPHUSzXKEva43f9MgARCJtH2blUvXJeuODfvAnt:J8RgpszaEv39MgFLWJUv0DHAnt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

1.exeDZUpdata.exe

pid process

1052 1.exe
268 DZUpdata.exe

pid	process
1052	1.exe
268	DZUpdata.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\1.exe	upx
behavioral1/memory/1052-5091-0x0000000000400000-0x000000000041B000-memory.dmp	upx
C:\1.exe	upx
\Windows\SysWOW64\DZUpdata.exe	upx
\Windows\SysWOW64\DZUpdata.exe	upx
C:\Windows\SysWOW64\DZUpdata.exe	upx
behavioral1/memory/1052-5104-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

1.exeDZUpdata.exe

pid process

1052 1.exe
1052 1.exe
1052 1.exe
268 DZUpdata.exe
268 DZUpdata.exe

pid	process
1052	1.exe
1052	1.exe
1052	1.exe
268	DZUpdata.exe
268	DZUpdata.exe

Drops file in System32 directory 5 IoCs

Processes:

1.exeDZUpdata.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DZUpdata.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\DZUpdata.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	DZUpdata.exe
File created	C:\Windows\SysWOW64\dzsspx.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

pid	process
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000fce7bd9579700062fb251bb71fff15937be0a860cc867fb66e8a82470390b858000000000e8000000002000020000000e9303c561d816f64fe99dc03fdb9b3969b32f1a3e30468ac8db2d6daf762d4de20000000dbefe8fb03ee59c0d8377ab788f0549a6b426e0ea73f190d0fc5e4c3e57a0c5240000000eddff465a61de3a6ac7e1a7bc7a3fc12e03be9ab223f59a5f949d021129c31fba458d4a6b9d68f8bba5228c344e6921e73a1b62825c8e7b82304276a7890da4d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B187B11-6B61-11ED-8DFC-667719A561AF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f0bb706effd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375995222"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000006d2e9ee0e08cb156cce3893b28c4597dbb37aaaff07cb885881966e510a2b70e000000000e80000000020000200000000bba0aad9f35e0fe9677111c42b6eb8ddc8fa7f7e2815a092e2e4ffea4d1bd9290000000862b0736ecb948b25a649d977722701310139346f85794f9a6a30563ddfaf1f81befd90ddbcc29478584c49921ad4b1b03c14a8464b372ce74193f6eb59f8d3ad09b93aa5e70073d3c8d2d8860ad920870182aa932ee34e200b347d95f35c4bffb3a18d104910fc30748570978da41b584f9b6250ab9df78c9e239aadc012172aaea5a1324c3cac4ec27150699b4c3a840000000444ea039c9a1111172b93cbda18ec0c0ad71ed8e40e66203c162a092e2c50ff323102bce335ffbf7d337129ca1b70bbfde422274cc52d305e0279bafae1820cb	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1.exe

pid process

1052 1.exe
1052 1.exe
1052 1.exe
1052 1.exe
1052 1.exe
1052 1.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

1.exeDZUpdata.exe

pid process

1052 1.exe
464
268 DZUpdata.exe
464
268 DZUpdata.exe
464
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1.exeDZUpdata.exe

description pid process

Token: SeLoadDriverPrivilege 1052 1.exe
Token: SeLoadDriverPrivilege 268 DZUpdata.exe
Token: SeLoadDriverPrivilege 268 DZUpdata.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1780 iexplore.exe

pid	process
1052	1.exe
1052	1.exe
1052	1.exe
1052	1.exe
1052	1.exe
1052	1.exe

pid	process
1052	1.exe
464
268	DZUpdata.exe
464
268	DZUpdata.exe
464

description	pid	process
Token: SeLoadDriverPrivilege	1052	1.exe
Token: SeLoadDriverPrivilege	268	DZUpdata.exe
Token: SeLoadDriverPrivilege	268	DZUpdata.exe

pid	process
1780	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exeiexplore.exeIEXPLORE.EXE

pid	process
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
1780	iexplore.exe
1780	iexplore.exe
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe1.exeiexplore.exe

description	pid	process	target process
PID 1672 wrote to memory of 1052	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 1672 wrote to memory of 1052	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 1672 wrote to memory of 1052	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 1672 wrote to memory of 1052	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 1052 wrote to memory of 268	1052	1.exe	DZUpdata.exe
PID 1052 wrote to memory of 268	1052	1.exe	DZUpdata.exe
PID 1052 wrote to memory of 268	1052	1.exe	DZUpdata.exe
PID 1052 wrote to memory of 268	1052	1.exe	DZUpdata.exe
PID 1052 wrote to memory of 904	1052	1.exe	cmd.exe
PID 1052 wrote to memory of 904	1052	1.exe	cmd.exe
PID 1052 wrote to memory of 904	1052	1.exe	cmd.exe
PID 1052 wrote to memory of 904	1052	1.exe	cmd.exe
PID 1672 wrote to memory of 1780	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	iexplore.exe
PID 1672 wrote to memory of 1780	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	iexplore.exe
PID 1672 wrote to memory of 1780	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	iexplore.exe
PID 1672 wrote to memory of 1780	1672	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	iexplore.exe
PID 1780 wrote to memory of 1140	1780	iexplore.exe	IEXPLORE.EXE
PID 1780 wrote to memory of 1140	1780	iexplore.exe	IEXPLORE.EXE
PID 1780 wrote to memory of 1140	1780	iexplore.exe	IEXPLORE.EXE
PID 1780 wrote to memory of 1140	1780	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
"C:\Users\Admin\AppData\Local\Temp\1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\1.exe
C:\1.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\DZUpdata.exe
"C:\Windows\system32\DZUpdata.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\uisad.bat
3⤵
PID:904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.waig8.com/soft/4051.html?gx
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\1.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15a82ef89addd758ea46eef21c120aeb

SHA1
1462d865b009c81aba35dfe60a84158f1fdc8c85

SHA256
a9eff52d414e5a81921f60a64cc8abbd81a6951e2c0e9b3870d700f9ab8b7ca4

SHA512
43af2a80c1edf343273cd70c4e288fd28a49a83fe14b6e8a4baf2ac32efe63c67eac63bdbde10ae4b1bd2eac84da3eb60a1e6ebb2dc2f605130437e913dd8bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IXWRS6CC.txt

Filesize
603B

MD5
378dc7a2bbf0e45ee926c7eea14e9a73

SHA1
24193ca674be7f88942de275e898887cc5ea1072

SHA256
538ab072dbbedd1af55b628f37a11c222562042fb681e0458d531c12f86498a9

SHA512
83f8051af1981b90b7194d513578d2735bfa06cf9c7825462f9d4ed11c84d5b25a4787589d8f0b33be40ebe410e0cf162417b0df1dfeb31ea752fedfefd62fa6

Download Submit
C:\Windows\SysWOW64\DZUpdata.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
C:\Windows\SysWOW64\zmdll.lst

Filesize
200B

MD5
8e880127d370458abccd2c1b7d0e8ba1

SHA1
9370dad2ef59758386997a8a129864e337666490

SHA256
e4ec45db755535d940a24a31d706c02fabc4fc8bf4fc92ec80c4107597a8cd0b

SHA512
ae7df9bfaede714c6631c441a4edbbf960ded7a8d40bb8a29c0c603fdf498fd874b971ad74da8df5a021ea1a2283a68533320be5c7eaf6372f108f6d3d093319

Download Submit
\??\c:\uisad.bat

Filesize
61B

MD5
7fc222ffde0ac3678015f5acbc4c34ec

SHA1
43695879e1cff2d91b4ad3f75429ba773c9182a5

SHA256
e2b96bde54a53f909caeacfbc4f804226f123767d63bf71d180753d1d978a425

SHA512
cd3ae51f281dc6e41af91f43c2b5cdca11605ccaf6687dcde724cac3449eee099ec2a652d52f43582ae0f6bc277dd63e89ba9176b43cc92e11b19a73d94eef1c

Download Submit
\Windows\SysWOW64\DZUpdata.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
\Windows\SysWOW64\DZUpdata.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
memory/268-5098-0x0000000000000000-mapping.dmp

Download
memory/904-5101-0x0000000000000000-mapping.dmp

Download
memory/1052-5104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-5091-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-5086-0x0000000000000000-mapping.dmp

Download
memory/1672-510-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-519-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-470-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-487-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-488-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-486-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-485-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-484-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-483-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-482-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-481-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-492-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-496-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-497-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-498-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-499-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-502-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-503-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-501-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-500-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-495-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-494-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-493-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-491-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-490-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-489-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-505-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-506-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-507-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-509-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-508-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-504-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-512-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-513-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-511-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-514-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-515-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-517-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-516-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-520-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-471-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-518-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-521-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-522-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-524-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-523-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-1502-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-1504-0x0000000002360000-0x00000000024E1000-memory.dmp

Filesize
1.5MB

Download
memory/1672-3748-0x000000000261D000-0x000000000261F000-memory.dmp

Filesize
8KB

Download
memory/1672-3746-0x000000000261D000-0x000000000261F000-memory.dmp

Filesize
8KB

Download
memory/1672-3906-0x0000000002220000-0x0000000002320000-memory.dmp

Filesize
1024KB

Download
memory/1672-4101-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-5084-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1672-5085-0x00000000024F0000-0x00000000025F1000-memory.dmp

Filesize
1.0MB

Download
memory/1672-472-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-475-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-5089-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1672-5090-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1672-476-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-5092-0x000000000261D000-0x000000000261F000-memory.dmp

Filesize
8KB

Download
memory/1672-5093-0x0000000002220000-0x0000000002320000-memory.dmp

Filesize
1024KB

Download
memory/1672-477-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-478-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-480-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-479-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-474-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-473-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-463-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-464-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-465-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-467-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-469-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-468-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-466-0x0000000002610000-0x0000000002721000-memory.dmp

Filesize
1.1MB

Download
memory/1672-5108-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1672-5110-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1672-5109-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1672-57-0x00000000769E0000-0x0000000076A27000-memory.dmp

Filesize
284KB

Download
memory/1672-55-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1672-5113-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download