bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162

Analysis

max time kernel
152s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
Size

272KB
MD5

b30a5b12eee48114b4854145e608e058
SHA1

3abaa12013bf16a3aaaae8e0f8734e645d8c58e0
SHA256

bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162
SHA512

ead31541dc681b497e0418bc9a28bcd387ca3c19c09a37e176ef9825976e39ea0eea025052d1d93ae6e68bd501636c25303e49260e9ceb36f24c54cdcee720e4
SSDEEP

6144:P3aZlQxchRdjLmtrBuMrdekUH63u+X5sc57W:CMxGLTuPL5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zaoxo.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	zaoxo.exe

Loads dropped DLL 2 IoCs

pid	Process
1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /Y"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /a"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /P"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /f"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /z"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /F"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /U"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /H"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /G"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /x"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /h"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /y"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /v"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /n"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /Z"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /c"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /w"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /t"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /N"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /o"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /l"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /J"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /X"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /q"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /A"	zaoxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /r"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /u"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /R"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /O"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /p"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /m"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /L"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /d"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /k"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /j"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /M"	zaoxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /K"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /V"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /I"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /S"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /D"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /Q"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /M"	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /g"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /W"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /C"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /E"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /e"	zaoxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoxo = "C:\\Users\\Admin\\zaoxo.exe /T"	zaoxo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe
1952	zaoxo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
1952	zaoxo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1952	1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe	28
PID 1160 wrote to memory of 1952	1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe	28
PID 1160 wrote to memory of 1952	1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe	28
PID 1160 wrote to memory of 1952	1160	bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe	28

C:\Users\Admin\AppData\Local\Temp\bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe
"C:\Users\Admin\AppData\Local\Temp\bf9007b1def82c1d5b6059c8ec2f69475cf57469e33b9a36d91380bd5469d162.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\zaoxo.exe
  "C:\Users\Admin\zaoxo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zaoxo.exe

Filesize
272KB

MD5
398c902a56e9018ba57cf2f361a070f1

SHA1
e901c37aa908cfb7b2aa7e72e744f96b2f455a69

SHA256
d4ee319963d91f49a07d4d612a6ab677edcb8c2d01ea1c32d945ebd59f889ef8

SHA512
ff32572122766e8e681fa7c1bdd8faa84a0dc9835415dbef21f2a5be12fe64cc05cb0df1b2e755e96105718f063de9ee4354d87749a3ceaf93b6ec7306265661

Download Submit
C:\Users\Admin\zaoxo.exe

Filesize
272KB

MD5
398c902a56e9018ba57cf2f361a070f1

SHA1
e901c37aa908cfb7b2aa7e72e744f96b2f455a69

SHA256
d4ee319963d91f49a07d4d612a6ab677edcb8c2d01ea1c32d945ebd59f889ef8

SHA512
ff32572122766e8e681fa7c1bdd8faa84a0dc9835415dbef21f2a5be12fe64cc05cb0df1b2e755e96105718f063de9ee4354d87749a3ceaf93b6ec7306265661

Download Submit
\Users\Admin\zaoxo.exe

Filesize
272KB

MD5
398c902a56e9018ba57cf2f361a070f1

SHA1
e901c37aa908cfb7b2aa7e72e744f96b2f455a69

SHA256
d4ee319963d91f49a07d4d612a6ab677edcb8c2d01ea1c32d945ebd59f889ef8

SHA512
ff32572122766e8e681fa7c1bdd8faa84a0dc9835415dbef21f2a5be12fe64cc05cb0df1b2e755e96105718f063de9ee4354d87749a3ceaf93b6ec7306265661

Download Submit
\Users\Admin\zaoxo.exe

Filesize
272KB

MD5
398c902a56e9018ba57cf2f361a070f1

SHA1
e901c37aa908cfb7b2aa7e72e744f96b2f455a69

SHA256
d4ee319963d91f49a07d4d612a6ab677edcb8c2d01ea1c32d945ebd59f889ef8

SHA512
ff32572122766e8e681fa7c1bdd8faa84a0dc9835415dbef21f2a5be12fe64cc05cb0df1b2e755e96105718f063de9ee4354d87749a3ceaf93b6ec7306265661

Download Submit
memory/1160-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download