a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe
Size

426KB
MD5

f99e6d0a7e88589e71a0f5484493efa3
SHA1

b366dcb0ec14fc90be705e0baf5a024446c17754
SHA256

a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738
SHA512

7626e72d720b106c59747c74ec39421a428566b0d42d92c9d55c3e5f683247d681705043f92f691601bfd2aaa67a367002e7cb94057454b2af272dfe9824c339
SSDEEP

6144:yQwkIXrueYIYsIW4VAYsOYeCEM7YTrLIqAWHfEFAb3bUj:yE2rf3cV+cxTgqv8Fsoj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1436	avzen.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\Currentversion\Run	avzen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3E453350-556D-BCA0-DD18-DB6F10EDC16D} = "C:\\Users\\Admin\\AppData\\Roaming\\Qosux\\avzen.exe"	avzen.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 1992	5108	a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe	81

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe
1436	avzen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 1436	5108	a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe	80
PID 5108 wrote to memory of 1436	5108	a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe	80
PID 5108 wrote to memory of 1436	5108	a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe	80
PID 1436 wrote to memory of 2376	1436	avzen.exe	31
PID 1436 wrote to memory of 2376	1436	avzen.exe	31
PID 1436 wrote to memory of 2376	1436	avzen.exe	31
PID 1436 wrote to memory of 2376	1436	avzen.exe	31
PID 1436 wrote to memory of 2376	1436	avzen.exe	31
PID 1436 wrote to memory of 2388	1436	avzen.exe	24
PID 1436 wrote to memory of 2388	1436	avzen.exe	24
PID 1436 wrote to memory of 2388	1436	avzen.exe	24
PID 1436 wrote to memory of 2388	1436	avzen.exe	24
PID 1436 wrote to memory of 2388	1436	avzen.exe	24
PID 1436 wrote to memory of 2628	1436	avzen.exe	29
PID 1436 wrote to memory of 2628	1436	avzen.exe	29
PID 1436 wrote to memory of 2628	1436	avzen.exe	29
PID 1436 wrote to memory of 2628	1436	avzen.exe	29
PID 1436 wrote to memory of 2628	1436	avzen.exe	29
PID 1436 wrote to memory of 2432	1436	avzen.exe	57
PID 1436 wrote to memory of 2432	1436	avzen.exe	57
PID 1436 wrote to memory of 2432	1436	avzen.exe	57
PID 1436 wrote to memory of 2432	1436	avzen.exe	57
PID 1436 wrote to memory of 2432	1436	avzen.exe	57
PID 1436 wrote to memory of 760	1436	avzen.exe	56
PID 1436 wrote to memory of 760	1436	avzen.exe	56
PID 1436 wrote to memory of 760	1436	avzen.exe	56
PID 1436 wrote to memory of 760	1436	avzen.exe	56
PID 1436 wrote to memory of 760	1436	avzen.exe	56
PID 1436 wrote to memory of 3244	1436	avzen.exe	55
PID 1436 wrote to memory of 3244	1436	avzen.exe	55
PID 1436 wrote to memory of 3244	1436	avzen.exe	55
PID 1436 wrote to memory of 3244	1436	avzen.exe	55
PID 1436 wrote to memory of 3244	1436	avzen.exe	55
PID 1436 wrote to memory of 3348	1436	avzen.exe	54
PID 1436 wrote to memory of 3348	1436	avzen.exe	54
PID 1436 wrote to memory of 3348	1436	avzen.exe	54
PID 1436 wrote to memory of 3348	1436	avzen.exe	54
PID 1436 wrote to memory of 3348	1436	avzen.exe	54
PID 1436 wrote to memory of 3412	1436	avzen.exe	53
PID 1436 wrote to memory of 3412	1436	avzen.exe	53
PID 1436 wrote to memory of 3412	1436	avzen.exe	53
PID 1436 wrote to memory of 3412	1436	avzen.exe	53
PID 1436 wrote to memory of 3412	1436	avzen.exe	53
PID 1436 wrote to memory of 3544	1436	avzen.exe	34
PID 1436 wrote to memory of 3544	1436	avzen.exe	34
PID 1436 wrote to memory of 3544	1436	avzen.exe	34
PID 1436 wrote to memory of 3544	1436	avzen.exe	34
PID 1436 wrote to memory of 3544	1436	avzen.exe	34
PID 1436 wrote to memory of 3896	1436	avzen.exe	52
PID 1436 wrote to memory of 3896	1436	avzen.exe	52
PID 1436 wrote to memory of 3896	1436	avzen.exe	52
PID 1436 wrote to memory of 3896	1436	avzen.exe	52
PID 1436 wrote to memory of 3896	1436	avzen.exe	52
PID 1436 wrote to memory of 4776	1436	avzen.exe	35
PID 1436 wrote to memory of 4776	1436	avzen.exe	35
PID 1436 wrote to memory of 4776	1436	avzen.exe	35
PID 1436 wrote to memory of 4776	1436	avzen.exe	35
PID 1436 wrote to memory of 4776	1436	avzen.exe	35
PID 1436 wrote to memory of 5108	1436	avzen.exe	79
PID 1436 wrote to memory of 5108	1436	avzen.exe	79
PID 1436 wrote to memory of 5108	1436	avzen.exe	79
PID 1436 wrote to memory of 5108	1436	avzen.exe	79
PID 1436 wrote to memory of 5108	1436	avzen.exe	79
PID 5108 wrote to memory of 1992	5108	a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe	81

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2628

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe
  "C:\Users\Admin\AppData\Local\Temp\a59f5769ef80c9af9a0186653b49121b5d505ba18d07d5710e0d7b375e3cf738.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Roaming\Qosux\avzen.exe
    "C:\Users\Admin\AppData\Roaming\Qosux\avzen.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2dfb49ad.bat"
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2dfb49ad.bat

Filesize
307B

MD5
551adb09f902ab165e972de76bad777a

SHA1
621033b3c7acf08a22b3cb22176875a0eb409cb9

SHA256
bd7de7cf0a3b18b596b9113c654be093357092047605ed83adb78950c29e615c

SHA512
97ed0e0e64a9ee9465dec68686956a21b0f90692080aa1999b1cac0f6a3d3f62d809137e3cee6931125c6859187a053dd2682d6a98cee3cf073177a2c7ddb365

Download Submit
C:\Users\Admin\AppData\Roaming\Qosux\avzen.exe

Filesize
426KB

MD5
bb32c859592b1d69a52816fa88cc50bc

SHA1
83107f94ccabe6b61379e01cfa16d839f05bf66a

SHA256
01099600ed70727773d4128d66e67172268adc8f796459fa5c5f6ad72420b3f3

SHA512
2a9034fa2f1573bc308afa2c88946d67b24890828ae6049444e3b5b266bd1a67723cc3cf17cd908b8cc2f5747689c9081bdc71ce178fa4e8b32141c47cc4210a

Download Submit
C:\Users\Admin\AppData\Roaming\Qosux\avzen.exe

Filesize
426KB

MD5
bb32c859592b1d69a52816fa88cc50bc

SHA1
83107f94ccabe6b61379e01cfa16d839f05bf66a

SHA256
01099600ed70727773d4128d66e67172268adc8f796459fa5c5f6ad72420b3f3

SHA512
2a9034fa2f1573bc308afa2c88946d67b24890828ae6049444e3b5b266bd1a67723cc3cf17cd908b8cc2f5747689c9081bdc71ce178fa4e8b32141c47cc4210a

Download Submit
memory/1436-149-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1436-150-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1436-140-0x0000000001FD0000-0x0000000002016000-memory.dmp

Filesize
280KB

Download
memory/1992-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1992-146-0x0000000000920000-0x0000000000966000-memory.dmp

Filesize
280KB

Download
memory/1992-157-0x0000000000920000-0x0000000000966000-memory.dmp

Filesize
280KB

Download
memory/5108-138-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5108-148-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5108-147-0x0000000002300000-0x0000000002346000-memory.dmp

Filesize
280KB

Download
memory/5108-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5108-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5108-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5108-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5108-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5108-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5108-137-0x0000000002210000-0x0000000002256000-memory.dmp

Filesize
280KB

Download
memory/5108-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download