35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe
Size

199KB
MD5

876ad03e7776bbee98af96b2a0917e19
SHA1

833e3f3ba999f4ba7f56a72386e713304e193d57
SHA256

35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6
SHA512

ea88b600118d607555209cf1004ad6aa4025fe8bdbdab569fa19520bfe1d5dd635c7dfe51f045f9aa846fbffc86c285d22793e47a1ee9d488efff72bd84878b1
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO4:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	zskhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\zskhost.exe	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe
File opened for modification	C:\Windows\Debug\zskhost.exe	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zskhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1660	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2664	1660	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe	29
PID 1660 wrote to memory of 2664	1660	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe	29
PID 1660 wrote to memory of 2664	1660	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe	29
PID 1660 wrote to memory of 2664	1660	35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe	29

C:\Users\Admin\AppData\Local\Temp\35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe
"C:\Users\Admin\AppData\Local\Temp\35fff6777f3c144d240dfc4d95f9279702c8b5462027bf7c1707d1c64ec48bc6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\35FFF6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2664

C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\zskhost.exe

Filesize
199KB

MD5
a4c52a43a7aaabfd9a2e9d97e6322e4b

SHA1
2c97ff502e4138afe058b886f554b60d2979206b

SHA256
f14ce399f9dd256d80df873097e6ea1f89c6b7f21ed0d92f38f419059fde0717

SHA512
a681de521f12ee066e139fb35a077dc78fe1f0a727aff1d043a3912ac284f8ce94b7a945ebf30494819d0f347cd710629c697fb58a1fe96389bb9d28ecbfcaf9

Download Submit
C:\Windows\debug\zskhost.exe

Filesize
199KB

MD5
a4c52a43a7aaabfd9a2e9d97e6322e4b

SHA1
2c97ff502e4138afe058b886f554b60d2979206b

SHA256
f14ce399f9dd256d80df873097e6ea1f89c6b7f21ed0d92f38f419059fde0717

SHA512
a681de521f12ee066e139fb35a077dc78fe1f0a727aff1d043a3912ac284f8ce94b7a945ebf30494819d0f347cd710629c697fb58a1fe96389bb9d28ecbfcaf9

Download Submit