Malware Analysis Report

2024-10-24 17:01

Sample ID 230223-tygh2sge39
Target 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
SHA256 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea
Tags
hzrat backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea

Threat Level: Known bad

The file 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe was found to be: Known bad.

Malicious Activity Summary

hzrat backdoor

Detects HZRAT backdoor

HZRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-23 16:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-23 16:27

Reported

2023-02-23 16:30

Platform

win7-20230220-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A

HZRAT

backdoor hzrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 824 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe C:\Windows\SysWOW64\wscript.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
PID 1284 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe

"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs EasyConnectInstaller.exe winIogon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit

C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe"

Network

Country Destination Domain Proto
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs

MD5 90a1ba69792dcb304a28a848a44c60b9
SHA1 7cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256 f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA512 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

memory/1180-73-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-23 16:27

Reported

2023-02-23 16:30

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A

HZRAT

backdoor hzrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe

"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\install.vbs EasyConnectInstaller.exe winIogon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit

C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe"

Network

Country Destination Domain Proto
N/A 192.168.3.157:8081 tcp
US 104.208.16.90:443 tcp
N/A 192.168.3.157:8081 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
N/A 192.168.3.157:8081 tcp
US 13.107.4.50:80 tcp
N/A 192.168.3.157:8081 tcp
US 93.184.220.29:80 tcp
N/A 192.168.3.157:8081 tcp
N/A 192.168.3.157:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\install.vbs

MD5 90a1ba69792dcb304a28a848a44c60b9
SHA1 7cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256 f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA512 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe

MD5 818b6a2fbc7bb4f15ee3ccc4f29db2ae
SHA1 acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8
SHA256 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234
SHA512 ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a

memory/1124-144-0x0000000000400000-0x00000000004B4000-memory.dmp