d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
Size

63KB
MD5

ac0569464a8817dc6dbbafb6daf4ef0d
SHA1

90622529e549e1ed077a200bdf67ff9b90b3c273
SHA256

d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1
SHA512

64bd1ed62c514ed8f572a399bed8865d4d770c4c7e031f26af74df3485a5f1c3c691b0bccc7146bb499f7642b5d92f7aa1f3bbb2508179ea7455b947867b5a29
SSDEEP

1536:/BXUmg9ujppHxFARYUPjjAv6fU6zvpL6YjXyFNtt:/BPFvU7jAv686rv+z

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zqeyud\Parameters\ServiceDll = "%SystemRoot%\\System32\\nxzsyo.dll"	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe

Deletes itself 1 IoCs

pid	Process
1364	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1492	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
1364	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005c39b.001	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
File created	C:\Windows\SysWOW64\nxzsyo.dll	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe

C:\Users\Admin\AppData\Local\Temp\d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
"C:\Users\Admin\AppData\Local\Temp\d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k zqeyud
1⤵
- Deletes itself
- Loads dropped DLL
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\nxzsyo.dll

Filesize
91KB

MD5
40046145227485d70756602e4cb88900

SHA1
fbf0519b2f92d6fccad42422930f58862148d5e9

SHA256
ea582fbd877032eb30d5fdcfdcdfd03e1d58a6e855f8caee8fa08b3ca4674da0

SHA512
8be6a7b456b4fe6f12805e49d277a5cf1425cdfa7dd1b8028ad02e3975ddefcdf58912d5ff05941710aa3f181554411282a1a9618dd534823000df9414d4ae42

Download Submit
\Windows\SysWOW64\nxzsyo.dll

Filesize
91KB

MD5
40046145227485d70756602e4cb88900

SHA1
fbf0519b2f92d6fccad42422930f58862148d5e9

SHA256
ea582fbd877032eb30d5fdcfdcdfd03e1d58a6e855f8caee8fa08b3ca4674da0

SHA512
8be6a7b456b4fe6f12805e49d277a5cf1425cdfa7dd1b8028ad02e3975ddefcdf58912d5ff05941710aa3f181554411282a1a9618dd534823000df9414d4ae42

Download Submit
\Windows\SysWOW64\nxzsyo.dll

Filesize
91KB

MD5
40046145227485d70756602e4cb88900

SHA1
fbf0519b2f92d6fccad42422930f58862148d5e9

SHA256
ea582fbd877032eb30d5fdcfdcdfd03e1d58a6e855f8caee8fa08b3ca4674da0

SHA512
8be6a7b456b4fe6f12805e49d277a5cf1425cdfa7dd1b8028ad02e3975ddefcdf58912d5ff05941710aa3f181554411282a1a9618dd534823000df9414d4ae42

Download Submit
memory/1364-61-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1364-62-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1492-55-0x0000000075001000-0x0000000075003000-memory.dmp

Filesize
8KB

Download
memory/1492-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-60-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download