Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2023 16:27

General

  • Target

    4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe

  • Size

    3.6MB

  • MD5

    05df1f3295697a82c2ad35186137835f

  • SHA1

    7a17540d57c2d9309924cb1dd97b82184a5e976a

  • SHA256

    4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea

  • SHA512

    67839bec1eba8962a4b548f026a4f151e0517e4edcb9b73dfe6eb365bd8fa1e513ba5565242943dcd4354f712e708d8c50fef9db71b98d05f318bf47ee1b9bb1

  • SSDEEP

    98304:DZCRW07xF5NNoRIoiJICbpKO06GaYeW1GLs8U4aWy3L:DZCR9F5foW9JIwKO06vdHU6U

Score
10/10

Malware Config

Signatures

  • Detects HZRAT backdoor 1 IoCs
  • HZRAT

    HZRAT that is remotely accesses infected resources.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
    "C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\SysWOW64\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs EasyConnectInstaller.exe winIogon.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit
        3⤵
          PID:268
        • C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1180

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs

      Filesize

      197B

      MD5

      90a1ba69792dcb304a28a848a44c60b9

      SHA1

      7cda38f0a65d27769d51bc753b54ebfddf6cd623

      SHA256

      f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20

      SHA512

      1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

    • C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • \Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • \Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • \Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • \Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • \Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

      Filesize

      747KB

      MD5

      818b6a2fbc7bb4f15ee3ccc4f29db2ae

      SHA1

      acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8

      SHA256

      93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234

      SHA512

      ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

    • memory/1180-73-0x0000000000400000-0x00000000004B4000-memory.dmp

      Filesize

      720KB