965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
Size

93KB
MD5

dd2c350e982563b4fe22cbcb8faee7d3
SHA1

d705f64a00454a24c2e014612022fc22d950ee30
SHA256

965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037
SHA512

4a8b09c5a2f0491efea515167c75c08d50fb23c22ec4c2d0b508de660c9bf2ab9fddd715e351e274c28ba97888595601385ade7f65e7d6c6c4ec3c9fe17625e4
SSDEEP

1536:YwH8z4lr3QF/GTqg8HLhobQLAfm5b8HLljs2mwEhstzWrY8p:lw4lr39Og8HlKQLAfMmLljJmwEixWrfp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1412	zehu.exe

Deletes itself 1 IoCs

pid	Process
1832	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	zehu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EBBCA835-AC4F-0DC6-E444-5DF28E5F90FA} = "C:\\Users\\Admin\\AppData\\Roaming\\Hizo\\zehu.exe"	zehu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe
1412	zehu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
Token: SeSecurityPrivilege	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
Token: SeSecurityPrivilege	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1412	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	27
PID 1448 wrote to memory of 1412	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	27
PID 1448 wrote to memory of 1412	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	27
PID 1448 wrote to memory of 1412	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	27
PID 1412 wrote to memory of 1248	1412	zehu.exe	17
PID 1412 wrote to memory of 1248	1412	zehu.exe	17
PID 1412 wrote to memory of 1248	1412	zehu.exe	17
PID 1412 wrote to memory of 1248	1412	zehu.exe	17
PID 1412 wrote to memory of 1248	1412	zehu.exe	17
PID 1412 wrote to memory of 1360	1412	zehu.exe	16
PID 1412 wrote to memory of 1360	1412	zehu.exe	16
PID 1412 wrote to memory of 1360	1412	zehu.exe	16
PID 1412 wrote to memory of 1360	1412	zehu.exe	16
PID 1412 wrote to memory of 1360	1412	zehu.exe	16
PID 1412 wrote to memory of 1392	1412	zehu.exe	15
PID 1412 wrote to memory of 1392	1412	zehu.exe	15
PID 1412 wrote to memory of 1392	1412	zehu.exe	15
PID 1412 wrote to memory of 1392	1412	zehu.exe	15
PID 1412 wrote to memory of 1392	1412	zehu.exe	15
PID 1412 wrote to memory of 1448	1412	zehu.exe	26
PID 1412 wrote to memory of 1448	1412	zehu.exe	26
PID 1412 wrote to memory of 1448	1412	zehu.exe	26
PID 1412 wrote to memory of 1448	1412	zehu.exe	26
PID 1412 wrote to memory of 1448	1412	zehu.exe	26
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1448 wrote to memory of 1832	1448	965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe	28
PID 1412 wrote to memory of 1912	1412	zehu.exe	30
PID 1412 wrote to memory of 1912	1412	zehu.exe	30
PID 1412 wrote to memory of 1912	1412	zehu.exe	30
PID 1412 wrote to memory of 1912	1412	zehu.exe	30
PID 1412 wrote to memory of 1912	1412	zehu.exe	30
PID 1412 wrote to memory of 288	1412	zehu.exe	31
PID 1412 wrote to memory of 288	1412	zehu.exe	31
PID 1412 wrote to memory of 288	1412	zehu.exe	31
PID 1412 wrote to memory of 288	1412	zehu.exe	31
PID 1412 wrote to memory of 288	1412	zehu.exe	31
PID 1412 wrote to memory of 1536	1412	zehu.exe	32
PID 1412 wrote to memory of 1536	1412	zehu.exe	32
PID 1412 wrote to memory of 1536	1412	zehu.exe	32
PID 1412 wrote to memory of 1536	1412	zehu.exe	32
PID 1412 wrote to memory of 1536	1412	zehu.exe	32
PID 1412 wrote to memory of 1604	1412	zehu.exe	33
PID 1412 wrote to memory of 1604	1412	zehu.exe	33
PID 1412 wrote to memory of 1604	1412	zehu.exe	33
PID 1412 wrote to memory of 1604	1412	zehu.exe	33
PID 1412 wrote to memory of 1604	1412	zehu.exe	33
PID 1412 wrote to memory of 528	1412	zehu.exe	34
PID 1412 wrote to memory of 528	1412	zehu.exe	34
PID 1412 wrote to memory of 528	1412	zehu.exe	34
PID 1412 wrote to memory of 528	1412	zehu.exe	34
PID 1412 wrote to memory of 528	1412	zehu.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe
  "C:\Users\Admin\AppData\Local\Temp\965a3ed7682bc794184adc2bf1ae0830773c71c7d6c2c43ea3b5043bd7c73037.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Roaming\Hizo\zehu.exe
    "C:\Users\Admin\AppData\Roaming\Hizo\zehu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd0913334.bat"
    3⤵
    - Deletes itself
    PID:1832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd0913334.bat

Filesize
307B

MD5
e76eac66d1364b3f7e08e054df658bca

SHA1
877955d3599293b2c32d1192ed92598a474d50ca

SHA256
d17ac1665db52d56cfd148e1a1b68a9da5340613ed4742c080bef140f0bc5842

SHA512
cc802b1e093b9e5ae9e86394a84b73779151164d07af4000446f13b6c2dad6061ff9285db9683452e47fac50a6d2a23ad3b32ea7fc1b1b218ff86535db6d0dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Egetn\tyil.ogk

Filesize
398B

MD5
151070f98481ffe0f0fa414c8d92a9df

SHA1
5f801b0c96e05657bb1d9a7612842ecba96cc393

SHA256
a63a93ae9068f112401f6a83ae5613606189e523d53cb38b3c3de6abd9ae206e

SHA512
263ffc16289ebcd75f7407352983635adcfb65ee42208b977668d3c6dbfa6efc97be7c68494e522b4a8659a72149f82e0bd746d6f47361eee1fbd515d948946e

Download Submit
C:\Users\Admin\AppData\Roaming\Hizo\zehu.exe

Filesize
93KB

MD5
b62afe67ec0c57f0f0bb57f6444ff05d

SHA1
cf46dbcb1e39597de51c8a2c22d472eeabc31c26

SHA256
d6b14d7421f1d767a086f5abda6588b1507dad2a3b59e1fdbc25e3dddcf670d5

SHA512
1a04c023e6091e8e883865ae3ebacfc0de00ab254117f8f8fca059022a75763c966abc7886781b023a5127b3f61f5d5a81c91b98ebaa032c484fd271c878a15c

Download Submit
C:\Users\Admin\AppData\Roaming\Hizo\zehu.exe

Filesize
93KB

MD5
b62afe67ec0c57f0f0bb57f6444ff05d

SHA1
cf46dbcb1e39597de51c8a2c22d472eeabc31c26

SHA256
d6b14d7421f1d767a086f5abda6588b1507dad2a3b59e1fdbc25e3dddcf670d5

SHA512
1a04c023e6091e8e883865ae3ebacfc0de00ab254117f8f8fca059022a75763c966abc7886781b023a5127b3f61f5d5a81c91b98ebaa032c484fd271c878a15c

Download Submit
\Users\Admin\AppData\Roaming\Hizo\zehu.exe

Filesize
93KB

MD5
b62afe67ec0c57f0f0bb57f6444ff05d

SHA1
cf46dbcb1e39597de51c8a2c22d472eeabc31c26

SHA256
d6b14d7421f1d767a086f5abda6588b1507dad2a3b59e1fdbc25e3dddcf670d5

SHA512
1a04c023e6091e8e883865ae3ebacfc0de00ab254117f8f8fca059022a75763c966abc7886781b023a5127b3f61f5d5a81c91b98ebaa032c484fd271c878a15c

Download Submit
\Users\Admin\AppData\Roaming\Hizo\zehu.exe

Filesize
93KB

MD5
b62afe67ec0c57f0f0bb57f6444ff05d

SHA1
cf46dbcb1e39597de51c8a2c22d472eeabc31c26

SHA256
d6b14d7421f1d767a086f5abda6588b1507dad2a3b59e1fdbc25e3dddcf670d5

SHA512
1a04c023e6091e8e883865ae3ebacfc0de00ab254117f8f8fca059022a75763c966abc7886781b023a5127b3f61f5d5a81c91b98ebaa032c484fd271c878a15c

Download Submit
memory/288-107-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/288-109-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/288-108-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/288-106-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/528-127-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/528-125-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/528-126-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/528-124-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/1248-61-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1248-66-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1248-65-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1248-64-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1248-63-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1360-72-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1392-75-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1392-76-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1392-77-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1392-78-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1448-81-0x0000000001BA0000-0x0000000001BBA000-memory.dmp

Filesize
104KB

Download
memory/1448-94-0x0000000001BA0000-0x0000000001BBA000-memory.dmp

Filesize
104KB

Download
memory/1448-84-0x0000000001BA0000-0x0000000001BBA000-memory.dmp

Filesize
104KB

Download
memory/1448-83-0x0000000001BA0000-0x0000000001BBA000-memory.dmp

Filesize
104KB

Download
memory/1448-82-0x0000000001BA0000-0x0000000001BBA000-memory.dmp

Filesize
104KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1604-118-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1604-121-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1604-120-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1604-119-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1832-90-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1832-92-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1832-91-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1832-97-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1832-88-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1912-103-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1912-102-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1912-101-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/1912-100-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download