fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
Size

314KB
MD5

2c3f432ed0ac134ba8a6029126126e16
SHA1

68268dc8cabe6dfa1ac2722e3505bc61011a2b97
SHA256

fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3
SHA512

d2802969b7dfbcfebcbddb1fcacd0c6f8464328284765af685d30aca30836c68fe6dd81d4721f2ad521eec3efad321a808b58fd367dccc2117bb109fb96c19e1
SSDEEP

6144:MsU36U4IWQWDlHw/z0qm1iZcWmK+TElAOn01JbtOPEpbh4gdIjK:pw6U4IvWDaLhMuWTDOn01FtiSh4QI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zaokq.exe

pid process

1668 zaokq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe

pid process

2000 fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe

pid	process
1668	zaokq.exe

pid	process
1700	cmd.exe

pid	process
2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaokq.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Ebcy\\zaokq.exe"	explorer.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2C0248C8-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

explorer.exezaokq.exe

pid	process
1584	explorer.exe
1668	zaokq.exe
1668	zaokq.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
Token: SeManageVolumePrivilege	1516	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1516 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1516 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1516 WinMail.exe

pid	process
1516	WinMail.exe

pid	process
1516	WinMail.exe

pid	process
1516	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exezaokq.exeexplorer.exe

description	pid	process	target process
PID 2000 wrote to memory of 1668	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	zaokq.exe
PID 2000 wrote to memory of 1668	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	zaokq.exe
PID 2000 wrote to memory of 1668	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	zaokq.exe
PID 2000 wrote to memory of 1668	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	zaokq.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1668 wrote to memory of 1584	1668	zaokq.exe	explorer.exe
PID 1584 wrote to memory of 1132	1584	explorer.exe	taskhost.exe
PID 1584 wrote to memory of 1132	1584	explorer.exe	taskhost.exe
PID 1584 wrote to memory of 1132	1584	explorer.exe	taskhost.exe
PID 1584 wrote to memory of 1132	1584	explorer.exe	taskhost.exe
PID 1584 wrote to memory of 1132	1584	explorer.exe	taskhost.exe
PID 1584 wrote to memory of 1184	1584	explorer.exe	Dwm.exe
PID 1584 wrote to memory of 1184	1584	explorer.exe	Dwm.exe
PID 1584 wrote to memory of 1184	1584	explorer.exe	Dwm.exe
PID 1584 wrote to memory of 1184	1584	explorer.exe	Dwm.exe
PID 1584 wrote to memory of 1184	1584	explorer.exe	Dwm.exe
PID 1584 wrote to memory of 1224	1584	explorer.exe	Explorer.EXE
PID 1584 wrote to memory of 1224	1584	explorer.exe	Explorer.EXE
PID 1584 wrote to memory of 1224	1584	explorer.exe	Explorer.EXE
PID 1584 wrote to memory of 1224	1584	explorer.exe	Explorer.EXE
PID 1584 wrote to memory of 1224	1584	explorer.exe	Explorer.EXE
PID 1584 wrote to memory of 2000	1584	explorer.exe	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
PID 1584 wrote to memory of 2000	1584	explorer.exe	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
PID 1584 wrote to memory of 2000	1584	explorer.exe	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
PID 1584 wrote to memory of 2000	1584	explorer.exe	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
PID 1584 wrote to memory of 2000	1584	explorer.exe	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
PID 1668 wrote to memory of 1516	1668	zaokq.exe	WinMail.exe
PID 1668 wrote to memory of 1516	1668	zaokq.exe	WinMail.exe
PID 1668 wrote to memory of 1516	1668	zaokq.exe	WinMail.exe
PID 1668 wrote to memory of 1516	1668	zaokq.exe	WinMail.exe
PID 1668 wrote to memory of 1516	1668	zaokq.exe	WinMail.exe
PID 2000 wrote to memory of 1700	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	cmd.exe
PID 2000 wrote to memory of 1700	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	cmd.exe
PID 2000 wrote to memory of 1700	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	cmd.exe
PID 2000 wrote to memory of 1700	2000	fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe	cmd.exe
PID 1584 wrote to memory of 1700	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1700	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1700	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1700	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1700	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1676	1584	explorer.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe
"C:\Users\Admin\AppData\Local\Temp\fcd0ac307bb9d9cca8e61ab1608008ebd4c1e2286a97aac6f146e2e4b05dc9c3.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Ebcy\zaokq.exe
"C:\Users\Admin\AppData\Roaming\Ebcy\zaokq.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp44870fc4.bat"
3⤵
- Deletes itself
PID:1700

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-34369610895868165161257990-15939513018540377169598165211202271-1657701376"
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp44870fc4.bat

Filesize
307B

MD5
132b56c75c5d89cb1bc914198b4ff9f7

SHA1
481bc749efcdad60da35064806e5d1ecd440b0d6

SHA256
0a94f06cc9a343471b5d09895449168871760cc144a0fc6b2c2a82e2c7f69020

SHA512
80d2a24775cea4273890c0c023b7379ff82159f5d1c7e29e399b4a5167ea638cb5e4cbb1a88df28bb169abdb4903103eb2a35e4a7a43c7011bffea5b65690df2

Download Submit
C:\Users\Admin\AppData\Roaming\Ebcy\zaokq.exe

Filesize
314KB

MD5
01a497f7cd21c09a79870948f9425e2d

SHA1
36e3fc1e8e48a9898449733d3e165d9e1ed597d9

SHA256
fb67a23445be4dec90c0cb4ac3b8b7d405cb7f759d53ca8463cd98cfc2d2aec3

SHA512
56be0121e0773814717ac42918dcf53616c894e939865e588cdf6948d483b9eee33ecc2e64efd8573bc894eec3661074791ef1c59bdb61464b8485e006c9e666

Download Submit
C:\Users\Admin\AppData\Roaming\Ebcy\zaokq.exe

Filesize
314KB

MD5
01a497f7cd21c09a79870948f9425e2d

SHA1
36e3fc1e8e48a9898449733d3e165d9e1ed597d9

SHA256
fb67a23445be4dec90c0cb4ac3b8b7d405cb7f759d53ca8463cd98cfc2d2aec3

SHA512
56be0121e0773814717ac42918dcf53616c894e939865e588cdf6948d483b9eee33ecc2e64efd8573bc894eec3661074791ef1c59bdb61464b8485e006c9e666

Download Submit
\Users\Admin\AppData\Roaming\Ebcy\zaokq.exe

Filesize
314KB

MD5
01a497f7cd21c09a79870948f9425e2d

SHA1
36e3fc1e8e48a9898449733d3e165d9e1ed597d9

SHA256
fb67a23445be4dec90c0cb4ac3b8b7d405cb7f759d53ca8463cd98cfc2d2aec3

SHA512
56be0121e0773814717ac42918dcf53616c894e939865e588cdf6948d483b9eee33ecc2e64efd8573bc894eec3661074791ef1c59bdb61464b8485e006c9e666

Download Submit
memory/1132-92-0x0000000001B50000-0x0000000001B87000-memory.dmp

Filesize
220KB

Download
memory/1132-91-0x0000000001B50000-0x0000000001B87000-memory.dmp

Filesize
220KB

Download
memory/1132-90-0x0000000001B50000-0x0000000001B87000-memory.dmp

Filesize
220KB

Download
memory/1132-89-0x0000000001B50000-0x0000000001B87000-memory.dmp

Filesize
220KB

Download
memory/1184-98-0x0000000001B70000-0x0000000001BA7000-memory.dmp

Filesize
220KB

Download
memory/1184-96-0x0000000001B70000-0x0000000001BA7000-memory.dmp

Filesize
220KB

Download
memory/1184-95-0x0000000001B70000-0x0000000001BA7000-memory.dmp

Filesize
220KB

Download
memory/1184-97-0x0000000001B70000-0x0000000001BA7000-memory.dmp

Filesize
220KB

Download
memory/1224-103-0x0000000002A10000-0x0000000002A47000-memory.dmp

Filesize
220KB

Download
memory/1224-102-0x0000000002A10000-0x0000000002A47000-memory.dmp

Filesize
220KB

Download
memory/1224-101-0x0000000002A10000-0x0000000002A47000-memory.dmp

Filesize
220KB

Download
memory/1224-104-0x0000000002A10000-0x0000000002A47000-memory.dmp

Filesize
220KB

Download
memory/1516-73-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1516-74-0x000007FEF62C1000-0x000007FEF62C3000-memory.dmp

Filesize
8KB

Download
memory/1516-75-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1516-81-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1516-117-0x0000000003D30000-0x0000000003D67000-memory.dmp

Filesize
220KB

Download
memory/1516-116-0x0000000003D30000-0x0000000003D67000-memory.dmp

Filesize
220KB

Download
memory/1516-114-0x0000000003D30000-0x0000000003D67000-memory.dmp

Filesize
220KB

Download
memory/1584-67-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1584-71-0x00000000742A1000-0x00000000742A3000-memory.dmp

Filesize
8KB

Download
memory/1584-69-0x0000000000000000-mapping.dmp

Download
memory/1584-130-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1584-68-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1584-65-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1584-63-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1584-72-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/1668-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-58-0x0000000000000000-mapping.dmp

Download
memory/1700-118-0x0000000000000000-mapping.dmp

Download
memory/1700-124-0x00000000003D0000-0x0000000000407000-memory.dmp

Filesize
220KB

Download
memory/1700-128-0x00000000003D0000-0x0000000000407000-memory.dmp

Filesize
220KB

Download
memory/1700-123-0x00000000003D0000-0x0000000000407000-memory.dmp

Filesize
220KB

Download
memory/1700-122-0x00000000003D0000-0x0000000000407000-memory.dmp

Filesize
220KB

Download
memory/1700-121-0x00000000003D0000-0x0000000000407000-memory.dmp

Filesize
220KB

Download
memory/2000-107-0x00000000029F0000-0x0000000002A27000-memory.dmp

Filesize
220KB

Download
memory/2000-56-0x0000000002180000-0x0000000002DCA000-memory.dmp

Filesize
12.3MB

Download
memory/2000-108-0x00000000029F0000-0x0000000002A27000-memory.dmp

Filesize
220KB

Download
memory/2000-109-0x00000000029F0000-0x0000000002A27000-memory.dmp

Filesize
220KB

Download
memory/2000-110-0x00000000029F0000-0x0000000002A27000-memory.dmp

Filesize
220KB

Download
memory/2000-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2000-111-0x0000000002180000-0x0000000002DCA000-memory.dmp

Filesize
12.3MB

Download
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download