Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 16:04
Behavioral task
behavioral1
Sample
ZAZAgenv2.exe (1) (1).exe
Resource
win10v2004-20221111-en
General
-
Target
ZAZAgenv2.exe (1) (1).exe
-
Size
3.8MB
-
MD5
5adc42fc3c4641933072fd628c07778b
-
SHA1
88dacdf1ab3aea812c7aaeb0e532edddf22c1ef4
-
SHA256
0db34a2edc14731f5a5b0a0cd0ce855f76a43f0279d0259383682ee59eba43f2
-
SHA512
9fcfda10612301d90846042b8a8ee5519012727caf5c4138037934b6ccd12cd9808c2e1c8378e54cc72b7a26fbc1274224179bb36e17f937b2254ba4b4dc7678
-
SSDEEP
98304:Qu0T+Srp3YVrsk9N8ivyhAdsPSQxhsnWJLXq0f9ogdCyb:QtfSVN8iNISOlJzqwf
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp family_stormkitty -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\svchoster.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\svchoster.exe WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\svchoster.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\svchoster.exe Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZAZAgenv2.exe (1) (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ZAZAgenv2.exe (1) (1).exe -
Executes dropped EXE 1 IoCs
Processes:
svchoster.exepid process 4636 svchoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1172 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svchoster.exepid process 4636 svchoster.exe 4636 svchoster.exe 4636 svchoster.exe 4636 svchoster.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ZAZAgenv2.exe (1) (1).exedescription pid process Token: SeDebugPrivilege 5092 ZAZAgenv2.exe (1) (1).exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ZAZAgenv2.exe (1) (1).exepid process 5092 ZAZAgenv2.exe (1) (1).exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ZAZAgenv2.exe (1) (1).execmd.exedescription pid process target process PID 5092 wrote to memory of 4300 5092 ZAZAgenv2.exe (1) (1).exe cmd.exe PID 5092 wrote to memory of 4300 5092 ZAZAgenv2.exe (1) (1).exe cmd.exe PID 5092 wrote to memory of 4300 5092 ZAZAgenv2.exe (1) (1).exe cmd.exe PID 4300 wrote to memory of 4636 4300 cmd.exe svchoster.exe PID 4300 wrote to memory of 4636 4300 cmd.exe svchoster.exe PID 4300 wrote to memory of 4636 4300 cmd.exe svchoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1) (1).exe"C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1) (1).exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResizeNew.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeFilesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
memory/4300-133-0x0000000000000000-mapping.dmp
-
memory/4636-136-0x0000000000000000-mapping.dmp
-
memory/5092-132-0x0000000000470000-0x0000000000850000-memory.dmpFilesize
3.9MB
-
memory/5092-134-0x0000000006010000-0x00000000060A2000-memory.dmpFilesize
584KB
-
memory/5092-135-0x0000000006660000-0x0000000006C04000-memory.dmpFilesize
5.6MB
-
memory/5092-139-0x0000000007430000-0x00000000074A6000-memory.dmpFilesize
472KB
-
memory/5092-140-0x00000000065F0000-0x000000000660E000-memory.dmpFilesize
120KB