feb63c6685c822cf34afe11dfbbe30c67c11f4822c83fd1a80af8f353e787a8a

Analysis

max time kernel
39s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-05-2023 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZhEKG4Ia.exe
Size

54.8MB
MD5

9fb1684044d30c2f2f6ac7114554fd92
SHA1

8ee97a5ec1a17063f8eabc5c5ea25d4882fd1495
SHA256

feb63c6685c822cf34afe11dfbbe30c67c11f4822c83fd1a80af8f353e787a8a
SHA512

46245341f226e8ccf9bc5623cc019c8ec8b679071c1ffab120905bae43de9856dde2e8917bc62dc172a3a9507cf1ab3c39e2fbc5765fffb7e40ba7733bd2f093
SSDEEP

1572864:tKvAFUwty95SaJ1GJfxdtsgkWSjxnLb3:4AUwkExyxn/3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	SecureShellProcess.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	ZhEKG4Ia.exe
1048	SecureShellProcess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1048	2028	ZhEKG4Ia.exe	28
PID 2028 wrote to memory of 1048	2028	ZhEKG4Ia.exe	28
PID 2028 wrote to memory of 1048	2028	ZhEKG4Ia.exe	28

C:\Users\Admin\AppData\Local\Temp\ZhEKG4Ia.exe
"C:\Users\Admin\AppData\Local\Temp\ZhEKG4Ia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\onefile_2028_133298753549488000\SecureShellProcess.exe
  "C:\Users\Admin\AppData\Local\Temp\ZhEKG4Ia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2028_133298753549488000\SecureShellProcess.exe

Filesize
62.3MB

MD5
cfd2f59f35dbd8083561fb51c49451ef

SHA1
f749083e3ec82eb870f5315af091d88a0fcb1fa6

SHA256
ae1432c461bc394a9e221bc2543a4b2fed0a17c0a49c74bfc13d164d0275d7d2

SHA512
ad803b8a3bb3d7531fed6fd9701884c124fef7570cd5fa1cab32e0a9c722c7e618fd1212dd40482acd930c80d613796d09481e5ab918382b9b051cec386dc770

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2028_133298753549488000\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2028_133298753549488000\SecureShellProcess.exe

Filesize
62.3MB

MD5
cfd2f59f35dbd8083561fb51c49451ef

SHA1
f749083e3ec82eb870f5315af091d88a0fcb1fa6

SHA256
ae1432c461bc394a9e221bc2543a4b2fed0a17c0a49c74bfc13d164d0275d7d2

SHA512
ad803b8a3bb3d7531fed6fd9701884c124fef7570cd5fa1cab32e0a9c722c7e618fd1212dd40482acd930c80d613796d09481e5ab918382b9b051cec386dc770

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2028_133298753549488000\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
memory/1048-185-0x000000013FB90000-0x0000000143AE4000-memory.dmp

Filesize
63.3MB

Download
memory/2028-186-0x000000013FA30000-0x0000000143119000-memory.dmp

Filesize
54.9MB

Download
memory/2028-314-0x000000013FA30000-0x0000000143119000-memory.dmp

Filesize
54.9MB

Download