Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
Resource
win7-20230220-en
General
-
Target
4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
-
Size
3.6MB
-
MD5
05df1f3295697a82c2ad35186137835f
-
SHA1
7a17540d57c2d9309924cb1dd97b82184a5e976a
-
SHA256
4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea
-
SHA512
67839bec1eba8962a4b548f026a4f151e0517e4edcb9b73dfe6eb365bd8fa1e513ba5565242943dcd4354f712e708d8c50fef9db71b98d05f318bf47ee1b9bb1
-
SSDEEP
98304:DZCRW07xF5NNoRIoiJICbpKO06GaYeW1GLs8U4aWy3L:DZCR9F5foW9JIwKO06vdHU6U
Malware Config
Signatures
-
Detects HZRAT backdoor 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1180-73-0x0000000000400000-0x00000000004B4000-memory.dmp family_hzrat -
Executes dropped EXE 1 IoCs
Processes:
winIogon.exepid process 1180 winIogon.exe -
Loads dropped DLL 5 IoCs
Processes:
wscript.exewinIogon.exepid process 1284 wscript.exe 1284 wscript.exe 1180 winIogon.exe 1180 winIogon.exe 1180 winIogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exewscript.exedescription pid process target process PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 824 wrote to memory of 1284 824 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe wscript.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 268 1284 wscript.exe cmd.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe PID 1284 wrote to memory of 1180 1284 wscript.exe winIogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs EasyConnectInstaller.exe winIogon.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit3⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe"C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD590a1ba69792dcb304a28a848a44c60b9
SHA17cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA5121a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a
-
Filesize
747KB
MD5818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA25693f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a