2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10

General

Target

2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe
Size

22.9MB
MD5

53f0da7db0c6456aa8e9e3ea423523a6
SHA1

dbed78a2e3cddc87a6afb9e081c5c540ca7dfefa
SHA256

2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10
SHA512

62c02ec814d5c184d7525e6a748f223b08cf2c7fc33d894a80d01cc6b5ddbecb4546dbe7c511b328705d3f7f2cd1814dbe5d5bc2324fe5839dab50ca50860bbc
SSDEEP

49152:978SIIRjd7TtckwRWCFavtAk3DjUHA2O1qofPQZlkALzqNQ8:97h5dzeavtAkfUg2OgofQzqq8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zmxueji.exe

pid process

860 zmxueji.exe
Loads dropped DLL 4 IoCs

Processes:

2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exezmxueji.exe

pid process

1048 2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe
860 zmxueji.exe
860 zmxueji.exe
860 zmxueji.exe

pid	process
860	zmxueji.exe

pid	process
1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe
860	zmxueji.exe
860	zmxueji.exe
860	zmxueji.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zmxueji = "C:\\Users\\Public\\Uwhp\\Uzhog.exe /zmxueji /{E4B00ADA-F175-4BC7-A453-B2A79362FD13}"	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

zmxueji.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main zmxueji.exe
Runs net.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

zmxueji.exe

pid process

860 zmxueji.exe
860 zmxueji.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	zmxueji.exe

pid	process
860	zmxueji.exe
860	zmxueji.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exeNet.exe

description	pid	process	target process
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 1048 wrote to memory of 948	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	Net.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 948 wrote to memory of 1760	948	Net.exe	net1.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe
PID 1048 wrote to memory of 860	1048	2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe	zmxueji.exe

C:\Users\Admin\AppData\Local\Temp\2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe
"C:\Users\Admin\AppData\Local\Temp\2530a6593708eeb77951840e147dba1cf84778d29fb914e793458ffe42d3ec10.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1760
- C:\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe
  C:\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
\Users\Admin\AppData\Local\Temp\g8172A\zmxueji.exe

Filesize
1.1MB

MD5
5ffa95a2aa9a96ea13a6dca7b5efb44d

SHA1
0a4456049316acf30a20ef352b74c686bd81c4d7

SHA256
fe29919f590782d51adc9d0163d59bebca5de536169850fa54ba7cda66e3979a

SHA512
4e336ba9bf15567a5fb124665882817306cc5e3d20639365a72676804f9f6abf3901310603c1bf3870d6a987d22eb8ba38208231db33b2983bddff7363a99a4a

Download Submit
memory/860-60-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing