0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6

Analysis

max time kernel
172s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
Size

176KB
MD5

10ccb9e857904b3d0e4eae778ba37e44
SHA1

0088267f4d5d89114195dbcaff265f9affe76a42
SHA256

0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6
SHA512

8b3b8f6a47faa07304f703e9f866eceec487708cbb8c2b18311e5a7e0e049f33ab0cd7871790cdab63728b14519ae53bac21c4312a10201ccd33de89747a5b8c
SSDEEP

3072:Wk4IcfpHlp1DbKcwjIU2aTObcpT/pHkEAbN/yK/fObT/bGiCV/COqoSQ3iBuAZds:b4PfpHlp1vKcwjIDaTObcZ/pHkMK/fOc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zuizi.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	zuizi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /x"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /B"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /X"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /k"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /r"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /t"	zuizi.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /L"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /W"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /M"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /o"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /m"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /G"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /P"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /D"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /A"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /p"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /O"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /R"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /b"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /F"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /s"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /a"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /u"	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /i"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /h"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /z"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /l"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /f"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /J"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /K"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /N"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /C"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /Y"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /U"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /E"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /V"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /v"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /S"	zuizi.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /g"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /Q"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /c"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /u"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /e"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /Z"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /w"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /y"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /H"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /n"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /j"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /d"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /T"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /I"	zuizi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuizi = "C:\\Users\\Admin\\zuizi.exe /q"	zuizi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe
4800	zuizi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
4800	zuizi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4800	4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe	81
PID 4292 wrote to memory of 4800	4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe	81
PID 4292 wrote to memory of 4800	4292	0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe	81

C:\Users\Admin\AppData\Local\Temp\0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
"C:\Users\Admin\AppData\Local\Temp\0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\zuizi.exe
  "C:\Users\Admin\zuizi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zuizi.exe

Filesize
176KB

MD5
3e8b54d2670b875d191fc39a73fdee86

SHA1
bc8e2b561c870781110db3d470b2d8f24b26825d

SHA256
4a718cca5d43edcf9776b0e2a957a4863b3e253111d41fba4217e4835f99f5bc

SHA512
f6a12a58c3013168682fa63854d8bd48b01b8afa2164bfef6ec95c8493133600004e0f9a18665faf1190c2634ff1b1b9681551ce05875aaf8ff8d58ff913e88f

Download Submit
C:\Users\Admin\zuizi.exe

Filesize
176KB

MD5
3e8b54d2670b875d191fc39a73fdee86

SHA1
bc8e2b561c870781110db3d470b2d8f24b26825d

SHA256
4a718cca5d43edcf9776b0e2a957a4863b3e253111d41fba4217e4835f99f5bc

SHA512
f6a12a58c3013168682fa63854d8bd48b01b8afa2164bfef6ec95c8493133600004e0f9a18665faf1190c2634ff1b1b9681551ce05875aaf8ff8d58ff913e88f

Download Submit