aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe
Size

380KB
MD5

483724ec5796ef9faa4b8b0017d15c5c
SHA1

eb7b6640b3aa80d591183df5bc8ddf11a0b1022c
SHA256

aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a
SHA512

06ff09e847eb7ed1a1066d68f6bad579f6434a13962631946d7f31993f2ed5044b417d1c5256832a31c4a9e4f959651e93d05a2a5ffd718ec3719f18b892a366
SSDEEP

6144:N1qjtXjNz9moAupI8fchJm8EroL3iZBxjGWsQmwFoI0PEOUf:ejd7PfeGs66ymwFo+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
912	zygau.exe

Deletes itself 1 IoCs

pid	Process
1480	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe
1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	zygau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Ulog\\zygau.exe"	zygau.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe
912	zygau.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe
912	zygau.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 912	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	27
PID 1128 wrote to memory of 912	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	27
PID 1128 wrote to memory of 912	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	27
PID 1128 wrote to memory of 912	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	27
PID 912 wrote to memory of 1236	912	zygau.exe	14
PID 912 wrote to memory of 1236	912	zygau.exe	14
PID 912 wrote to memory of 1236	912	zygau.exe	14
PID 912 wrote to memory of 1236	912	zygau.exe	14
PID 912 wrote to memory of 1236	912	zygau.exe	14
PID 912 wrote to memory of 1336	912	zygau.exe	13
PID 912 wrote to memory of 1336	912	zygau.exe	13
PID 912 wrote to memory of 1336	912	zygau.exe	13
PID 912 wrote to memory of 1336	912	zygau.exe	13
PID 912 wrote to memory of 1336	912	zygau.exe	13
PID 912 wrote to memory of 1388	912	zygau.exe	12
PID 912 wrote to memory of 1388	912	zygau.exe	12
PID 912 wrote to memory of 1388	912	zygau.exe	12
PID 912 wrote to memory of 1388	912	zygau.exe	12
PID 912 wrote to memory of 1388	912	zygau.exe	12
PID 912 wrote to memory of 1128	912	zygau.exe	26
PID 912 wrote to memory of 1128	912	zygau.exe	26
PID 912 wrote to memory of 1128	912	zygau.exe	26
PID 912 wrote to memory of 1128	912	zygau.exe	26
PID 912 wrote to memory of 1128	912	zygau.exe	26
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29
PID 1128 wrote to memory of 1480	1128	aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe
  "C:\Users\Admin\AppData\Local\Temp\aa4d45bb1c281368cb4f80fa9ede39f45f4ff7184a6274f43c941492ede7f40a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Roaming\Ulog\zygau.exe
    "C:\Users\Admin\AppData\Roaming\Ulog\zygau.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0cf1fe7c.bat"
    3⤵
    - Deletes itself
    PID:1480

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0cf1fe7c.bat

Filesize
307B

MD5
c7354e6bfd6bdebebd379f31a61e7235

SHA1
f29989951e7fd45471e4d04e4971a527646f000a

SHA256
0b824bc107f5467a9a2b32a14ff7ba9ffea9613480392c51af4302ef73124d7d

SHA512
cf4eb0bbaf06d40b676f2a0c29edd3c72f5eaec4a5091147a3f8e578f4bcdaf89f2a6f499f78184f70fe181d02e9efd0c379660d424a232651bef2a598044046

Download Submit
C:\Users\Admin\AppData\Roaming\Ulog\zygau.exe

Filesize
380KB

MD5
eb4f7035cb71b3026e51f8f41fa67bc4

SHA1
7772e3f9738486aafa5f22cc98fded3e556d05c6

SHA256
0e47cadf851905a0d94e7986db57cd85866c70d8d5f9f91c5afe64cff1e51680

SHA512
5c702702aeac7ab1ae1cb26b37582b20e965248bfbb66ec37c9e5bda20d1c5e50f39d0cab0a3455312089d42b5792072149634b621aa76a4875d0115c03cd340

Download Submit
C:\Users\Admin\AppData\Roaming\Ulog\zygau.exe

Filesize
380KB

MD5
eb4f7035cb71b3026e51f8f41fa67bc4

SHA1
7772e3f9738486aafa5f22cc98fded3e556d05c6

SHA256
0e47cadf851905a0d94e7986db57cd85866c70d8d5f9f91c5afe64cff1e51680

SHA512
5c702702aeac7ab1ae1cb26b37582b20e965248bfbb66ec37c9e5bda20d1c5e50f39d0cab0a3455312089d42b5792072149634b621aa76a4875d0115c03cd340

Download Submit
\Users\Admin\AppData\Roaming\Ulog\zygau.exe

Filesize
380KB

MD5
eb4f7035cb71b3026e51f8f41fa67bc4

SHA1
7772e3f9738486aafa5f22cc98fded3e556d05c6

SHA256
0e47cadf851905a0d94e7986db57cd85866c70d8d5f9f91c5afe64cff1e51680

SHA512
5c702702aeac7ab1ae1cb26b37582b20e965248bfbb66ec37c9e5bda20d1c5e50f39d0cab0a3455312089d42b5792072149634b621aa76a4875d0115c03cd340

Download Submit
\Users\Admin\AppData\Roaming\Ulog\zygau.exe

Filesize
380KB

MD5
eb4f7035cb71b3026e51f8f41fa67bc4

SHA1
7772e3f9738486aafa5f22cc98fded3e556d05c6

SHA256
0e47cadf851905a0d94e7986db57cd85866c70d8d5f9f91c5afe64cff1e51680

SHA512
5c702702aeac7ab1ae1cb26b37582b20e965248bfbb66ec37c9e5bda20d1c5e50f39d0cab0a3455312089d42b5792072149634b621aa76a4875d0115c03cd340

Download Submit
memory/912-105-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/912-103-0x0000000001DB0000-0x0000000001E13000-memory.dmp

Filesize
396KB

Download
memory/912-104-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/912-102-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1128-96-0x00000000004C0000-0x0000000000523000-memory.dmp

Filesize
396KB

Download
memory/1128-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-95-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1128-98-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1128-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-84-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1128-85-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1128-83-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1128-86-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1236-66-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1236-65-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1236-63-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1236-68-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1236-67-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1336-74-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1336-72-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1336-73-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1336-71-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1388-80-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1388-78-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1388-77-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1388-79-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1480-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1480-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1480-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1480-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1480-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download