Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2023 16:29

General

  • Target

    9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe

  • Size

    898KB

  • MD5

    bf351f934bbfd7fdbaadeeafa83c7375

  • SHA1

    b3b62f4f9157daffe634e995b183b46343f7e268

  • SHA256

    9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff

  • SHA512

    f965672020d2a0a83529a8d893e47b05b72de3556a002712d53c6476d297a7776ea17a16ee200edbef6ee233f0f867d5bdc92282f24babe6fda732c54bd710d9

  • SSDEEP

    24576:DcVkKSxRhGyOXW1QTPz1HlslplY0AHdL3LokK3Mfn:DcBsR8NYWbYpqr1LDRfn

Score
10/10

Malware Config

Signatures

  • Detects HZRAT backdoor 1 IoCs
  • HZRAT

    HZRAT that is remotely accesses infected resources.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
    "C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\install.vbs 城管自动追呼系统V8.6_8.exe default.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /K 城管自动追呼系统V8.6_8.exe & exit
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
          城管自动追呼系统V8.6_8.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1468
      • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1440

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\install.vbs

    Filesize

    197B

    MD5

    90a1ba69792dcb304a28a848a44c60b9

    SHA1

    7cda38f0a65d27769d51bc753b54ebfddf6cd623

    SHA256

    f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20

    SHA512

    1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

  • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

    Filesize

    1.1MB

    MD5

    3dbbf5c43df2b3a6ca03fff37ec0ba94

    SHA1

    cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb

    SHA256

    5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce

    SHA512

    aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

  • C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

    Filesize

    1.1MB

    MD5

    3dbbf5c43df2b3a6ca03fff37ec0ba94

    SHA1

    cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb

    SHA256

    5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce

    SHA512

    aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

    Filesize

    746KB

    MD5

    b7e2a2bc66eff2194fe89c3b39492725

    SHA1

    3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db

    SHA256

    1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0

    SHA512

    bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

    Filesize

    1.1MB

    MD5

    3dbbf5c43df2b3a6ca03fff37ec0ba94

    SHA1

    cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb

    SHA256

    5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce

    SHA512

    aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

    Filesize

    1.1MB

    MD5

    3dbbf5c43df2b3a6ca03fff37ec0ba94

    SHA1

    cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb

    SHA256

    5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce

    SHA512

    aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

  • \Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

    Filesize

    1.1MB

    MD5

    3dbbf5c43df2b3a6ca03fff37ec0ba94

    SHA1

    cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb

    SHA256

    5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce

    SHA512

    aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

  • memory/1440-117-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/1468-81-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-95-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-77-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-79-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-74-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-83-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-85-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-87-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-89-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-91-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-93-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-75-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-97-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-99-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-101-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-103-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-105-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-107-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-109-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-111-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-113-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-115-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-116-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1468-73-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB