1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62

Analysis

max time kernel
212s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
Size

1.8MB
MD5

6bf94b8f289fd9ae2527e04797c0b316
SHA1

4197f2fde26297726daf4691df0e995f6621cea4
SHA256

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62
SHA512

430b6d6a7591deb73ee3823e940fa6d203291ec1f7ec9c535e8c66e657932ac875a4b077b6661ce27ac21d97672edf8468917c6103392996fd8ea463f57f419b
SSDEEP

49152:J8RgpKPHUSzXKEva43f9MgARCJtH2blUvXJeuODfvAnt:J8RgpszaEv39MgFLWJUv0DHAnt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

1.exeDZUpdata.exe

pid process

2712 1.exe
1568 DZUpdata.exe

pid	process
2712	1.exe
1568	DZUpdata.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\1.exe	upx
C:\1.exe	upx
behavioral2/memory/2712-1493-0x0000000000400000-0x000000000041B000-memory.dmp	upx
C:\Windows\SysWOW64\DZUpdata.exe	upx
behavioral2/memory/2712-1499-0x0000000000400000-0x000000000041B000-memory.dmp	upx
C:\Windows\SysWOW64\DZUpdata.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 1.exe
Loads dropped DLL 3 IoCs

Processes:

1.exeDZUpdata.exe

pid process

2712 1.exe
1568 DZUpdata.exe
1568 DZUpdata.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	1.exe

pid	process
2712	1.exe
1568	DZUpdata.exe
1568	DZUpdata.exe

Drops file in System32 directory 5 IoCs

Processes:

DZUpdata.exe1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	DZUpdata.exe
File created	C:\Windows\SysWOW64\dzsspx.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	1.exe
File created	C:\Windows\SysWOW64\DZUpdata.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\DZUpdata.exe	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

pid	process
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

1.exe

pid process

2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
2712 1.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

1.exeDZUpdata.exe

pid process

2712 1.exe
648
1568 DZUpdata.exe
648
1568 DZUpdata.exe
648
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1.exeDZUpdata.exe

description pid process

Token: SeLoadDriverPrivilege 2712 1.exe
Token: SeLoadDriverPrivilege 1568 DZUpdata.exe
Token: SeLoadDriverPrivilege 1568 DZUpdata.exe

pid	process
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe
2712	1.exe

pid	process
2712	1.exe
648
1568	DZUpdata.exe
648
1568	DZUpdata.exe
648

description	pid	process
Token: SeLoadDriverPrivilege	2712	1.exe
Token: SeLoadDriverPrivilege	1568	DZUpdata.exe
Token: SeLoadDriverPrivilege	1568	DZUpdata.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

pid	process
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe1.exe

description	pid	process	target process
PID 2640 wrote to memory of 2712	2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 2640 wrote to memory of 2712	2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 2640 wrote to memory of 2712	2640	1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe	1.exe
PID 2712 wrote to memory of 1568	2712	1.exe	DZUpdata.exe
PID 2712 wrote to memory of 1568	2712	1.exe	DZUpdata.exe
PID 2712 wrote to memory of 1568	2712	1.exe	DZUpdata.exe
PID 2712 wrote to memory of 4688	2712	1.exe	cmd.exe
PID 2712 wrote to memory of 4688	2712	1.exe	cmd.exe
PID 2712 wrote to memory of 4688	2712	1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe
"C:\Users\Admin\AppData\Local\Temp\1e874ea2052c99e1de54179aa616b1532bb2f8400fa59efbea83349a43603e62.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\1.exe
C:\1.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\DZUpdata.exe
"C:\Windows\system32\DZUpdata.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\uisad.bat
3⤵
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\1.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\Windows\SysWOW64\DZUpdata.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\Windows\SysWOW64\DZUpdata.exe

Filesize
67KB

MD5
fae54064bbcf7bea0581de0c2f3b054d

SHA1
a73e51aae298573ca2e16fae367f0ffb6ee987b8

SHA256
760e97c46000f73852db0141b59e9da9f85fdeb705e10ab8064a3ead0cf71dcd

SHA512
b7456df97f575fd1997168a3697db8f3545e6e75f366b51ce93fb314bc26ea212ac7ef0388b858996aee310365b0c131d76c4ed5304f294c5b34fb24f0fcd953

Download Submit
C:\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
C:\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
C:\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
C:\Windows\SysWOW64\dzsspx.dll

Filesize
72KB

MD5
b0df9c25e73827cf81753c3590473d12

SHA1
94340eaa154f0240a89fa39fb4fab5b667c716c5

SHA256
b779b8c3557505c107f60831c2f236c8d3032e37c97b59cb16fe30b4e1c515ea

SHA512
8094d4c6b58fbf4c7dec23daf1a8704f10830a9c4955fd6a65357e6ee4d7c7fb95109d9bcbfdfecdb11fe659087265c922fc0809c780a712b6f36770afc684f9

Download Submit
C:\Windows\SysWOW64\zmdll.lst

Filesize
200B

MD5
71e539b4a9cd906dd570d63c2e22825b

SHA1
d064af4fbcc90f84c3f480c6af1b47899f8c5fbd

SHA256
d3c4bebd347c8c8c62cd2a2a78efe8d55c252c36a013f93583660f92a7560535

SHA512
1bf057c06a27e630ac7e7859baa89a59882b83f02eae091297b3a2295721ab8a80015475453095390af83a94698a82fc5c9a1111ae3e796393cfe4b80e50612a

Download Submit
\??\c:\uisad.bat

Filesize
61B

MD5
7fc222ffde0ac3678015f5acbc4c34ec

SHA1
43695879e1cff2d91b4ad3f75429ba773c9182a5

SHA256
e2b96bde54a53f909caeacfbc4f804226f123767d63bf71d180753d1d978a425

SHA512
cd3ae51f281dc6e41af91f43c2b5cdca11605ccaf6687dcde724cac3449eee099ec2a652d52f43582ae0f6bc277dd63e89ba9176b43cc92e11b19a73d94eef1c

Download Submit
memory/1568-1495-0x0000000000000000-mapping.dmp

Download
memory/2640-132-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-1489-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-1483-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-1481-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-137-0x0000000076B20000-0x0000000076B9A000-memory.dmp

Filesize
488KB

Download
memory/2640-1484-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-136-0x0000000075680000-0x0000000075820000-memory.dmp

Filesize
1.6MB

Download
memory/2640-134-0x0000000076BA0000-0x0000000076DB5000-memory.dmp

Filesize
2.1MB

Download
memory/2640-1488-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-133-0x0000000077280000-0x0000000077423000-memory.dmp

Filesize
1.6MB

Download
memory/2640-1482-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-1487-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2640-1486-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2712-1499-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-1493-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-1490-0x0000000000000000-mapping.dmp

Download
memory/4688-1497-0x0000000000000000-mapping.dmp

Download