6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed

General

Target

6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe
Size

2.2MB
MD5

df6a08e32c3538722ef6df6e67e9164e
SHA1

18a0b5a2649305b1638a19e18385fb61d5f9e335
SHA256

6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed
SHA512

9497b4f488ccb9595a804a0a3307f8dc7f730e8655b1491d2b0cf25d12b58de0b7f0023d334ea27d0dee5d48fba1e16f5fac73e167df55049138232e330ec676
SSDEEP

49152:W8soWZ0Parc1FU4mq0GIWaR4fZd5V5ProNbZpzQb/kaaGqsq02sv0:m0Pqc1FfmqNTaQProTpzo/katZ7Bv0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe

Executes dropped EXE 1 IoCs

pid	Process
4732	ZW.EXE

Loads dropped DLL 2 IoCs

pid	Process
4732	ZW.EXE
4732	ZW.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler\ = "ole2.dll"	ZW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler32	ZW.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler32\ = "ole32.dll"	ZW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ProgID	ZW.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ProgID\ = "Access.OLE2Link"	ZW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}	ZW.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ = "OLE 2.0 Link"	ZW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler	ZW.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4732	ZW.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4732	2256	6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe	81
PID 2256 wrote to memory of 4732	2256	6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe	81
PID 2256 wrote to memory of 4732	2256	6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe	81

C:\Users\Admin\AppData\Local\Temp\6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe
"C:\Users\Admin\AppData\Local\Temp\6df30c9b5f994b086c9a8456f1ccbb5e24facf0b073025fba267432431da96ed.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256
- C:\BZHST\ZW.EXE
  "C:\BZHST\ZW.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BZHST\VFP6R.DLL

Filesize
3.2MB

MD5
02b892076244e5bae12fc62297ed0502

SHA1
de635394748bb9bc484f9a0840529816574bfe35

SHA256
2f12d7cc09d1b966991010d098a20d6b39b400525eec98ff90316569bf22542a

SHA512
6f4a23f9a238b989ab74c8a9eb502070bf74427b7c25bcf7088a3f1a0a94e94cd2bf3ae55ec2cc667e4f90c5938bed63647a67ae1b672ddb576e13f33cfbb5d2

Download Submit
C:\BZHST\VFP6RENU.DLL

Filesize
855KB

MD5
67c5fd2305af277134e00c76f3e5bce5

SHA1
682679e87a1a8a01d841afb9b28afaf9fa9ddcbb

SHA256
fb89f70273870d5baa75be62f2905a0a87453c915d5173f2231da37783441b3b

SHA512
dd7c47e33338b9c3b57c54d983d58b6a7654790c0d17ad793f9f4f6d5f881033ca61c5ea496159c45ab6c8a60105d0cd4444fdcee2364cf693abed237ec4672d

Download Submit
C:\BZHST\VFP6RENU.DLL

Filesize
855KB

MD5
67c5fd2305af277134e00c76f3e5bce5

SHA1
682679e87a1a8a01d841afb9b28afaf9fa9ddcbb

SHA256
fb89f70273870d5baa75be62f2905a0a87453c915d5173f2231da37783441b3b

SHA512
dd7c47e33338b9c3b57c54d983d58b6a7654790c0d17ad793f9f4f6d5f881033ca61c5ea496159c45ab6c8a60105d0cd4444fdcee2364cf693abed237ec4672d

Download Submit
C:\BZHST\Vfp6r.dll

Filesize
3.2MB

MD5
02b892076244e5bae12fc62297ed0502

SHA1
de635394748bb9bc484f9a0840529816574bfe35

SHA256
2f12d7cc09d1b966991010d098a20d6b39b400525eec98ff90316569bf22542a

SHA512
6f4a23f9a238b989ab74c8a9eb502070bf74427b7c25bcf7088a3f1a0a94e94cd2bf3ae55ec2cc667e4f90c5938bed63647a67ae1b672ddb576e13f33cfbb5d2

Download Submit
C:\BZHST\ZW.EXE

Filesize
361KB

MD5
820a503babdf5e7b98d90fb0b99198ea

SHA1
1454d1c5b69cf84462f48b60749cd78cf21cf52e

SHA256
01813c8ae1ee637612f26b8f335487d0513253176c94e502a47711d19161bb85

SHA512
a5747eb6a9996a26453385cf12ad38a195b89a640d2fa2c51914fbcf34de5e43eb357b5eb0e0ffddbe45863cd6289bab50a1b1bf1d787629aa8bff146f5c2e41

Download Submit
C:\BZHST\zw.exe

Filesize
361KB

MD5
820a503babdf5e7b98d90fb0b99198ea

SHA1
1454d1c5b69cf84462f48b60749cd78cf21cf52e

SHA256
01813c8ae1ee637612f26b8f335487d0513253176c94e502a47711d19161bb85

SHA512
a5747eb6a9996a26453385cf12ad38a195b89a640d2fa2c51914fbcf34de5e43eb357b5eb0e0ffddbe45863cd6289bab50a1b1bf1d787629aa8bff146f5c2e41

Download Submit
C:\BZHST\zw.ini

Filesize
9B

MD5
36fdb1dea7b726782de2e3249cfcee5f

SHA1
c24c28767a027ceb8ddf9b28fcb38aa17c7234a9

SHA256
b04cd0695c142a37e9ae49d1f6ec02da25fe6e88bbcdb1a590b8e4d4cb1b0024

SHA512
238474c2fe1a0dc619d74b959666f62afecd93f3742866855f6918c6d5870b2fb1f67e368b95ee1766eec762f195bca4fe874bf6acfe6a9f5ff010fbf0f616d6

Download Submit

Analysis

Sharing