Overview

overview

5

Static

static

1

zblg.zip

windows10-1703-x64

5

Analysis

  • max time kernel
    598s
  • max time network
    518s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zblg.zip

  • Size

    9.4MB

  • MD5

    207b597f03033b2e0644bbbc29f04053

  • SHA1

    0ad88c964f6f7eebafa7156080a7bcd90ab32a16

  • SHA256

    f1dc920869794df3e258f42f9b99157104cd3f8c14394c1b9d043d6fcda14c0a

  • SHA512

    f50cdf77557160a7294406e1f2d57ca789ec42834881069281e88ac334fbaad901229da0e460b26a1b69724a4adbf9d0e92adba9c3ac86aa1603b857789c1db6

  • SSDEEP

    49152:h7dI9o//FRKZYIH4Lqq2iPYaTSQjBO5bDhWBw5iDx+HdHg:h7dI9o//FXIH4WiPYaeyQ5bD8Dx+Hi

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\zblg.zip
    1⤵
      PID:2288
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4516
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          PID:4968
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
          2⤵
          • Modifies data under HKEY_USERS
          PID:4376
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
          2⤵
          • Modifies data under HKEY_USERS
          PID:5052
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
          2⤵
            PID:1724
        • C:\Program Files\7-Zip\7zG.exe
          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\zblg\" -spe -an -ai#7zMap5051:66:7zEvent7599
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2756
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4908
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.0.1426141527\1949290519" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1596 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13a132a6-cab7-4ef7-927f-89046368c5dc} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 1704 1387eef7e58 gpu
              3⤵
                PID:2780
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.1.143944937\517497662" -parentBuildID 20221007134813 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d3d274f-bd89-428d-85db-075dab59c394} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 2056 1387e537858 socket
                3⤵
                • Checks processor information in registry
                PID:4704
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.2.450823334\1410011908" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2680 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9696b84-f583-4c24-9aa2-85947464bf10} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 2928 1380313b258 tab
                3⤵
                  PID:4980
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.3.834776222\1286313119" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b2ecd99-4e1c-4da8-8244-f351ca08a90e} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 3492 1387425b258 tab
                  3⤵
                    PID:3488
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.4.1352865539\1279866790" -childID 3 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb02797-fc0e-469a-b9d1-adccdd1a8df0} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 3808 138040e7c58 tab
                    3⤵
                      PID:4116
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.5.1271296238\415675239" -childID 4 -isForBrowser -prefsHandle 4420 -prefMapHandle 4580 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7139c271-35ad-4f9c-98d6-47b915ccf3ff} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 4568 13801844858 tab
                      3⤵
                        PID:2180
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.6.368476787\1867277444" -childID 5 -isForBrowser -prefsHandle 4728 -prefMapHandle 4732 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2bd833-c0f3-46da-aed9-222291cb6999} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 4600 13805a4f858 tab
                        3⤵
                          PID:1872
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4908.7.461029614\899782381" -childID 6 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4232f897-01cd-4a86-8337-f062dc6cf1b4} 4908 "\\.\pipe\gecko-crash-server-pipe.4908" 4928 13806108958 tab
                          3⤵
                            PID:996

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        146KB

                        MD5

                        77565cb63bbb099782f2aa80fd0f3c36

                        SHA1

                        c401e02239aea86689801f0d132bb1846e5a749a

                        SHA256

                        51dfda560c5285361f046e7a2eb4e744f2d7fa780a2a065471ba19d6681d2155

                        SHA512

                        90bd42b7cb548f6bc1f1119aa8fc89c8d41f34d0d2ee8347f23d6fc296767f06afd0e12f646d85c94d073fc19964f76455c0855a0228c0e9e6217cfdb6086ea7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        fc03769491e92557713bff75b3dcae44

                        SHA1

                        a4f4687575dba8a950a014c93d8f9f086a2b68d6

                        SHA256

                        3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

                        SHA512

                        8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        85dcc6db40462b05f8986c9f79f3d8a9

                        SHA1

                        269e9654ba7fdb296028c5a9774de1da8806c925

                        SHA256

                        9dd5c5ab6eda424b0a772c0eb62e6150e5e56f58ba4b3e63444b7fdb753f9049

                        SHA512

                        6a7244bda77718d6cc83d015bc717de92ccf94f1a5757b81760bbd766ada30b4a2863bca4c01ecc47adced597dd3728611620d8643c364c2624d89c83a9c5bac

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore.jsonlz4
                        Filesize

                        896B

                        MD5

                        57099655621fbc7c8b9fd6ae7ffeb514

                        SHA1

                        a2e3b8e915520b5cfa2e260ed6b0f1e093cb63f6

                        SHA256

                        e88d57eff320a9328437536ad8f8fb9548b466e3a3d5c1fe47a72b6d6314a2d4

                        SHA512

                        2250273bb8187ef9a3a9bfb5bf4d801e2e434e444baa63629bece472a2e7dacb16f7c27365d33bb12cde2afe0beaf1e5592b2f3c0452650598419455d00746c9

                        Download Submit

                      • memory/4376-198-0x0000015361690000-0x0000015361691000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4376-185-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-195-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-203-0x0000015361690000-0x0000015361693000-memory.dmp

                        Filesize

                        12KB

                        Download

                      • memory/4376-197-0x0000015361690000-0x00000153616A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-187-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-188-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-189-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-174-0x00000153614F0000-0x0000015361500000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-176-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-177-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-179-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-180-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-193-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-181-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-194-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-186-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-196-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-190-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4376-182-0x0000015361650000-0x0000015361660000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4912-161-0x00000220C4E90000-0x00000220C4E91000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4912-153-0x00000220C18F0000-0x00000220C18F8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-171-0x00000220C51A0000-0x00000220C51A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4912-170-0x00000220C51B0000-0x00000220C51B8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-168-0x00000220C4DE0000-0x00000220C4DE8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-166-0x00000220C5080000-0x00000220C5081000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4912-121-0x00000220BD290000-0x00000220BD2A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4912-165-0x00000220C5090000-0x00000220C5098000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-137-0x00000220BD390000-0x00000220BD3A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4912-163-0x00000220C3C40000-0x00000220C3C48000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-158-0x00000220C4C70000-0x00000220C4C78000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/4912-160-0x00000220C3C40000-0x00000220C3C48000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/5052-231-0x00000280551E0000-0x00000280551F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-212-0x00000280551B0000-0x00000280551C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-232-0x00000280551E0000-0x00000280551F0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-211-0x00000280551B0000-0x00000280551C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-209-0x00000280551B0000-0x00000280551C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-208-0x00000280551B0000-0x00000280551C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5052-206-0x0000028055180000-0x0000028055190000-memory.dmp

                        Filesize

                        64KB

                        Download