89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4

Analysis

max time kernel
189s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe
Size

284KB
MD5

0b47294f05f30ea08acecf30cc8fcfca
SHA1

17987a237843137ed1a33c062982aa3703302433
SHA256

89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4
SHA512

8e5b90ce19f176f46033ce2be9252e652755c5d32761169e1b19a5efc8211c5cfe87e980c9ce1b930c24bc8ce537ca3e4bdceab4d74ff6b894b3dfccb3433f53
SSDEEP

6144:QaP/gZ90JpU28YMWTHSX1Nb+lPRyqHV2yJAZlj+hIzv/1:3/gI62dMW7m+F3HV2SA7v/1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1056	zagu.exe
1904	zagu.exe

Deletes itself 1 IoCs

pid	Process
684	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe
1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	zagu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Offano\\zagu.exe"	zagu.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 1056 set thread context of 1904	1056	zagu.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe
1904	zagu.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 2024 wrote to memory of 1144	2024	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	28
PID 1144 wrote to memory of 1056	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	29
PID 1144 wrote to memory of 1056	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	29
PID 1144 wrote to memory of 1056	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	29
PID 1144 wrote to memory of 1056	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	29
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1056 wrote to memory of 1904	1056	zagu.exe	30
PID 1904 wrote to memory of 1160	1904	zagu.exe	3
PID 1904 wrote to memory of 1160	1904	zagu.exe	3
PID 1904 wrote to memory of 1160	1904	zagu.exe	3
PID 1904 wrote to memory of 1160	1904	zagu.exe	3
PID 1904 wrote to memory of 1160	1904	zagu.exe	3
PID 1904 wrote to memory of 1240	1904	zagu.exe	12
PID 1904 wrote to memory of 1240	1904	zagu.exe	12
PID 1904 wrote to memory of 1240	1904	zagu.exe	12
PID 1904 wrote to memory of 1240	1904	zagu.exe	12
PID 1904 wrote to memory of 1240	1904	zagu.exe	12
PID 1904 wrote to memory of 1300	1904	zagu.exe	10
PID 1904 wrote to memory of 1300	1904	zagu.exe	10
PID 1904 wrote to memory of 1300	1904	zagu.exe	10
PID 1904 wrote to memory of 1300	1904	zagu.exe	10
PID 1904 wrote to memory of 1300	1904	zagu.exe	10
PID 1904 wrote to memory of 1144	1904	zagu.exe	28
PID 1904 wrote to memory of 1144	1904	zagu.exe	28
PID 1904 wrote to memory of 1144	1904	zagu.exe	28
PID 1904 wrote to memory of 1144	1904	zagu.exe	28
PID 1904 wrote to memory of 1144	1904	zagu.exe	28
PID 1904 wrote to memory of 684	1904	zagu.exe	31
PID 1904 wrote to memory of 684	1904	zagu.exe	31
PID 1904 wrote to memory of 684	1904	zagu.exe	31
PID 1904 wrote to memory of 684	1904	zagu.exe	31
PID 1904 wrote to memory of 684	1904	zagu.exe	31
PID 1144 wrote to memory of 684	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	31
PID 1144 wrote to memory of 684	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	31
PID 1144 wrote to memory of 684	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	31
PID 1144 wrote to memory of 684	1144	89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe
  "C:\Users\Admin\AppData\Local\Temp\89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe
    "C:\Users\Admin\AppData\Local\Temp\89bcef8a8c565c40fba0f3a78345410324455de48f218023ab1186f465fdc2b4.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Users\Admin\AppData\Roaming\Offano\zagu.exe
      "C:\Users\Admin\AppData\Roaming\Offano\zagu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Roaming\Offano\zagu.exe
        
        "C:\Users\Admin\AppData\Roaming\Offano\zagu.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp532f1cd7.bat"
      4⤵
      Deletes itself
      PID:684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp532f1cd7.bat

Filesize
307B

MD5
f8017713a56704b3c2af98b4dab715d0

SHA1
046d6a44d68a241785671567ebf40e50bc27f5ee

SHA256
0cf5e800932a355e2065d5971989504a292e85a6ad00a60e91af047ab4b787e5

SHA512
4108ff648c06dd367ded6730ce100da57aa956795e7051a515c1927c68a0a90205ca2f3ad0595836a2b9912dc42cdcf14465e1fe29ca781044c2b9a0ef5f55b3

Download Submit
C:\Users\Admin\AppData\Roaming\Offano\zagu.exe

Filesize
284KB

MD5
b81ed0adc9d6ef77c2446ed9d64a1005

SHA1
79245477f13aaa5222751f524bc4a0fb30d33995

SHA256
dd57c4e8bb1a8658cadcd49e6898fe8f7df2a69508f891095dfcf8997ba6903b

SHA512
b79fbccf0129ca20831dd66c915b397ec7650f842d58e268332ce19cdaa806805488acecf1359cda8ecd687a5b61a8a0a7cb3e4fce3952241fd7038a53b8130e

Download Submit
C:\Users\Admin\AppData\Roaming\Offano\zagu.exe

Filesize
284KB

MD5
b81ed0adc9d6ef77c2446ed9d64a1005

SHA1
79245477f13aaa5222751f524bc4a0fb30d33995

SHA256
dd57c4e8bb1a8658cadcd49e6898fe8f7df2a69508f891095dfcf8997ba6903b

SHA512
b79fbccf0129ca20831dd66c915b397ec7650f842d58e268332ce19cdaa806805488acecf1359cda8ecd687a5b61a8a0a7cb3e4fce3952241fd7038a53b8130e

Download Submit
C:\Users\Admin\AppData\Roaming\Offano\zagu.exe

Filesize
284KB

MD5
b81ed0adc9d6ef77c2446ed9d64a1005

SHA1
79245477f13aaa5222751f524bc4a0fb30d33995

SHA256
dd57c4e8bb1a8658cadcd49e6898fe8f7df2a69508f891095dfcf8997ba6903b

SHA512
b79fbccf0129ca20831dd66c915b397ec7650f842d58e268332ce19cdaa806805488acecf1359cda8ecd687a5b61a8a0a7cb3e4fce3952241fd7038a53b8130e

Download Submit
\Users\Admin\AppData\Roaming\Offano\zagu.exe

Filesize
284KB

MD5
b81ed0adc9d6ef77c2446ed9d64a1005

SHA1
79245477f13aaa5222751f524bc4a0fb30d33995

SHA256
dd57c4e8bb1a8658cadcd49e6898fe8f7df2a69508f891095dfcf8997ba6903b

SHA512
b79fbccf0129ca20831dd66c915b397ec7650f842d58e268332ce19cdaa806805488acecf1359cda8ecd687a5b61a8a0a7cb3e4fce3952241fd7038a53b8130e

Download Submit
\Users\Admin\AppData\Roaming\Offano\zagu.exe

Filesize
284KB

MD5
b81ed0adc9d6ef77c2446ed9d64a1005

SHA1
79245477f13aaa5222751f524bc4a0fb30d33995

SHA256
dd57c4e8bb1a8658cadcd49e6898fe8f7df2a69508f891095dfcf8997ba6903b

SHA512
b79fbccf0129ca20831dd66c915b397ec7650f842d58e268332ce19cdaa806805488acecf1359cda8ecd687a5b61a8a0a7cb3e4fce3952241fd7038a53b8130e

Download Submit
memory/684-117-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/684-115-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/684-116-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/684-118-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1056-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1056-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1144-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-71-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1144-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-121-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1144-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-112-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1144-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-72-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1144-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-109-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1144-108-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1144-107-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1144-64-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1144-110-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1160-89-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1160-91-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1160-90-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1160-92-0x0000000001C30000-0x0000000001C74000-memory.dmp

Filesize
272KB

Download
memory/1240-97-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1240-95-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1240-96-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1240-98-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1300-104-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1300-103-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1300-102-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1300-101-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/1904-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2024-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download