c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07

General

Target

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
Size

367KB
MD5

cb09b98325f277a73fc65aeef580527e
SHA1

bd5a500c4d35a612d3043effdb96786d8b345edf
SHA256

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07
SHA512

0ea13925ba66677e6fb22493c9f749e649b17fad0548645c2c9bb37ace0275e5d07f5eb55d41a8f9e7fadaa9e959f8d4f6311f2e3431f97bb5d6492a58d3e171
SSDEEP

3072:N1uMX4rv7jtHXyamOabGu7rV4XA+uCGqSrAIs3AWQLfuc630JY6SokEn9o7RBCDK:NN4bn1aqjFutqSkIhVm30JTaCM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zielb.exezielb.exe

pid process

1756 zielb.exe
1276 zielb.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2028 cmd.exe

pid	process
1756	zielb.exe
1276	zielb.exe

pid	process
2028	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe

pid	process
808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zielb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	zielb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	zielb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Iqupqeetto = "C:\\Users\\Admin\\AppData\\Roaming\\Ruto\\zielb.exe"	zielb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exezielb.exe

description	pid	process	target process
PID 108 set thread context of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 1756 set thread context of 1276	1756	zielb.exe	zielb.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exezielb.exezielb.exe

pid	process
108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
1756	zielb.exe
1756	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe
1276	zielb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe

description	pid	process
Token: SeSecurityPrivilege	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
Token: SeSecurityPrivilege	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exec304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exezielb.exezielb.exe

description	pid	process	target process
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 108 wrote to memory of 808	108	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
PID 808 wrote to memory of 1756	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	zielb.exe
PID 808 wrote to memory of 1756	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	zielb.exe
PID 808 wrote to memory of 1756	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	zielb.exe
PID 808 wrote to memory of 1756	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 1756 wrote to memory of 1276	1756	zielb.exe	zielb.exe
PID 808 wrote to memory of 2028	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	cmd.exe
PID 808 wrote to memory of 2028	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	cmd.exe
PID 808 wrote to memory of 2028	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	cmd.exe
PID 808 wrote to memory of 2028	808	c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe	cmd.exe
PID 1276 wrote to memory of 1228	1276	zielb.exe	taskhost.exe
PID 1276 wrote to memory of 1228	1276	zielb.exe	taskhost.exe
PID 1276 wrote to memory of 1228	1276	zielb.exe	taskhost.exe
PID 1276 wrote to memory of 1228	1276	zielb.exe	taskhost.exe
PID 1276 wrote to memory of 1228	1276	zielb.exe	taskhost.exe
PID 1276 wrote to memory of 1316	1276	zielb.exe	Dwm.exe
PID 1276 wrote to memory of 1316	1276	zielb.exe	Dwm.exe
PID 1276 wrote to memory of 1316	1276	zielb.exe	Dwm.exe
PID 1276 wrote to memory of 1316	1276	zielb.exe	Dwm.exe
PID 1276 wrote to memory of 1316	1276	zielb.exe	Dwm.exe
PID 1276 wrote to memory of 1360	1276	zielb.exe	Explorer.EXE
PID 1276 wrote to memory of 1360	1276	zielb.exe	Explorer.EXE
PID 1276 wrote to memory of 1360	1276	zielb.exe	Explorer.EXE
PID 1276 wrote to memory of 1360	1276	zielb.exe	Explorer.EXE
PID 1276 wrote to memory of 1360	1276	zielb.exe	Explorer.EXE
PID 1276 wrote to memory of 1052	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 1052	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 1052	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 1052	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 1052	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 2012	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 2012	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 2012	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 2012	1276	zielb.exe	DllHost.exe
PID 1276 wrote to memory of 2012	1276	zielb.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
"C:\Users\Admin\AppData\Local\Temp\c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe
"C:\Users\Admin\AppData\Local\Temp\c304e4a7921896c51bad4ba220196b7063440156e2400173fbdd801b8c54fc07.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe
"C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe
"C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp04ae95f6.bat"
4⤵
- Deletes itself
PID:2028

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp04ae95f6.bat
Filesize
307B

MD5
ab3ef7b5f3fa822f02327c7e415f3e92

SHA1
4a8a19c3eef9504d499875238fa757fc2ff98ddc

SHA256
29bf184ed304fad44cbf0d0ee5f04246e2d4db950649d0fe73b500557e81f8bf

SHA512
cd02f90eb29d68b7102db1519c6b664aead90c01c6f33f9dd509b231927e47c30a5760270a806dcbd1daa27cc05a27a2ccde8fefad5a952241777b1b2acd59de

Download Submit
C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe
Filesize
367KB

MD5
47edda8cf2a2e44b4daf4f9a1b35abc7

SHA1
51c2f95aa7f8804f3532b295e733590a35a14c70

SHA256
4ab84241e3a056d215884021143ba0cbf47051f1d0f62129ea59f0ce04caca6d

SHA512
a55e6b5152f0c300d6ff566c829ad6f0c3a9596a3fab2fc448ca929db0cb83a25ebcdf906fcba71e6e64fa5c5e34cf252848c64407212280a1731e55dadedf7b

Download Submit
C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe
Filesize
367KB

MD5
47edda8cf2a2e44b4daf4f9a1b35abc7

SHA1
51c2f95aa7f8804f3532b295e733590a35a14c70

SHA256
4ab84241e3a056d215884021143ba0cbf47051f1d0f62129ea59f0ce04caca6d

SHA512
a55e6b5152f0c300d6ff566c829ad6f0c3a9596a3fab2fc448ca929db0cb83a25ebcdf906fcba71e6e64fa5c5e34cf252848c64407212280a1731e55dadedf7b

Download Submit
C:\Users\Admin\AppData\Roaming\Ruto\zielb.exe
Filesize
367KB

MD5
47edda8cf2a2e44b4daf4f9a1b35abc7

SHA1
51c2f95aa7f8804f3532b295e733590a35a14c70

SHA256
4ab84241e3a056d215884021143ba0cbf47051f1d0f62129ea59f0ce04caca6d

SHA512
a55e6b5152f0c300d6ff566c829ad6f0c3a9596a3fab2fc448ca929db0cb83a25ebcdf906fcba71e6e64fa5c5e34cf252848c64407212280a1731e55dadedf7b

Download Submit
\Users\Admin\AppData\Roaming\Ruto\zielb.exe
Filesize
367KB

MD5
47edda8cf2a2e44b4daf4f9a1b35abc7

SHA1
51c2f95aa7f8804f3532b295e733590a35a14c70

SHA256
4ab84241e3a056d215884021143ba0cbf47051f1d0f62129ea59f0ce04caca6d

SHA512
a55e6b5152f0c300d6ff566c829ad6f0c3a9596a3fab2fc448ca929db0cb83a25ebcdf906fcba71e6e64fa5c5e34cf252848c64407212280a1731e55dadedf7b

Download Submit
\Users\Admin\AppData\Roaming\Ruto\zielb.exe
Filesize
367KB

MD5
47edda8cf2a2e44b4daf4f9a1b35abc7

SHA1
51c2f95aa7f8804f3532b295e733590a35a14c70

SHA256
4ab84241e3a056d215884021143ba0cbf47051f1d0f62129ea59f0ce04caca6d

SHA512
a55e6b5152f0c300d6ff566c829ad6f0c3a9596a3fab2fc448ca929db0cb83a25ebcdf906fcba71e6e64fa5c5e34cf252848c64407212280a1731e55dadedf7b

Download Submit
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/108-64-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/808-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-62-0x000000000042B055-mapping.dmp

Download
memory/808-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/808-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1052-111-0x0000000002770000-0x00000000027AB000-memory.dmp

Filesize
236KB

Download
memory/1052-112-0x0000000002770000-0x00000000027AB000-memory.dmp

Filesize
236KB

Download
memory/1052-110-0x0000000002770000-0x00000000027AB000-memory.dmp

Filesize
236KB

Download
memory/1052-109-0x0000000002770000-0x00000000027AB000-memory.dmp

Filesize
236KB

Download
memory/1228-90-0x0000000001CA0000-0x0000000001CDB000-memory.dmp

Filesize
236KB

Download
memory/1228-91-0x0000000001CA0000-0x0000000001CDB000-memory.dmp

Filesize
236KB

Download
memory/1228-89-0x0000000001CA0000-0x0000000001CDB000-memory.dmp

Filesize
236KB

Download
memory/1228-93-0x0000000001CA0000-0x0000000001CDB000-memory.dmp

Filesize
236KB

Download
memory/1276-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1276-81-0x000000000042B055-mapping.dmp

Download
memory/1316-96-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1316-97-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1316-98-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1316-99-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/1360-104-0x0000000002160000-0x000000000219B000-memory.dmp

Filesize
236KB

Download
memory/1360-105-0x0000000002160000-0x000000000219B000-memory.dmp

Filesize
236KB

Download
memory/1360-103-0x0000000002160000-0x000000000219B000-memory.dmp

Filesize
236KB

Download
memory/1360-102-0x0000000002160000-0x000000000219B000-memory.dmp

Filesize
236KB

Download
memory/1756-69-0x0000000000000000-mapping.dmp

Download
memory/2012-115-0x0000000000210000-0x000000000024B000-memory.dmp

Filesize
236KB

Download
memory/2012-116-0x0000000000210000-0x000000000024B000-memory.dmp

Filesize
236KB

Download
memory/2012-117-0x0000000000210000-0x000000000024B000-memory.dmp

Filesize
236KB

Download
memory/2012-118-0x0000000000210000-0x000000000024B000-memory.dmp

Filesize
236KB

Download
memory/2028-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads