a3807794c390acc037b4de2d88f9869406ec661946af0a9e4a06cbe1ee0ba4a5

Analysis

max time kernel
144s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07_Zuri_Dcast.json
Size

1KB
MD5

389f61d4ed70cbcd8c7729934deb8495
SHA1

57e00551782f6e1bdde459bf5ee612b1cac9d30b
SHA256

20b8662df02acadf706545418054db27bfb958006757fb0ded36dc103e127246
SHA512

4a201b106679c775e698dadf6803495acd9ee2d8d74eeb978a57fce55e6bccbcc18d3292160bde1386076eb6da638090aef0a9487272ecbda19c2ef9e1428769

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6E2B39DD-DFF4-4348-A6CB-8DACF69C6DB5}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B9654FC3-AC15-4E07-B2AF-5D4C32AF5D2D}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1108247-A66C-4B7A-AFBE-16A350D9C6C1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CDAE01F9-155C-4CD0-B0FA-2C44C518D9A5}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{37102E4D-0A12-4293-9533-DBC88170C6EE}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{50532E74-5788-4F40-8549-A3E1D04E156D}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{78C29E2C-D6B8-4A8A-84A4-A35179EEB7D8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{786B7871-DDD9-4298-8054-93BFF4C9CE38}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\07_Zuri_Dcast.json
1⤵
- Modifies registry class
PID:3404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...