Analysis Overview
SHA256
4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea
Threat Level: Known bad
The file 4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe was found to be: Known bad.
Malicious Activity Summary
Detects HZRAT backdoor
HZRAT
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-23 16:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-23 16:27
Reported
2023-02-23 16:30
Platform
win7-20230220-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Detects HZRAT backdoor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HZRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"
C:\Windows\SysWOW64\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs EasyConnectInstaller.exe winIogon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit
C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\install.vbs
| MD5 | 90a1ba69792dcb304a28a848a44c60b9 |
| SHA1 | 7cda38f0a65d27769d51bc753b54ebfddf6cd623 |
| SHA256 | f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20 |
| SHA512 | 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71 |
C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
C:\Users\Admin\AppData\Local\Temp\7zS8338A11C\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
memory/1180-73-0x0000000000400000-0x00000000004B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-23 16:27
Reported
2023-02-23 16:30
Platform
win10v2004-20230220-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
Detects HZRAT backdoor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HZRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe
"C:\Users\Admin\AppData\Local\Temp\4272dd0b0588b77a666e90bb3ece326265cac3fd15318591534424f4f63899ea.exe"
C:\Windows\SysWOW64\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\install.vbs EasyConnectInstaller.exe winIogon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K EasyConnectInstaller.exe & exit
C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.3.157:8081 | tcp | |
| US | 104.208.16.90:443 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| N/A | 192.168.3.157:8081 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| N/A | 192.168.3.157:8081 | tcp | |
| N/A | 192.168.3.157:8081 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\install.vbs
| MD5 | 90a1ba69792dcb304a28a848a44c60b9 |
| SHA1 | 7cda38f0a65d27769d51bc753b54ebfddf6cd623 |
| SHA256 | f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20 |
| SHA512 | 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71 |
C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
C:\Users\Admin\AppData\Local\Temp\7zS8818B0F6\winIogon.exe
| MD5 | 818b6a2fbc7bb4f15ee3ccc4f29db2ae |
| SHA1 | acf37d114ea72e9a2f9bef2134e1c7eaf763a1b8 |
| SHA256 | 93f0b7eafc218f31ced3eda861c771273c07af69fff5a45a1ff859f0bcd87234 |
| SHA512 | ff982d5dd51a5a217739348ea4b825fac712dacd12230e5917d8e49786973caafd5ad106c938b7e94e4d3124d8460dabcf0a7be775591a7b18965d98c45c386a |
memory/1124-144-0x0000000000400000-0x00000000004B4000-memory.dmp