Overview

overview

7

Static

static

3

46ea512911...10.exe

windows7-x64

7

46ea512911...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 14:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    46ea512911313cf3bd454e1c80b67c55a1d126ef1ab10a1ed2b2eb5f3167ea10.exe

  • Size

    198KB

  • MD5

    7e3ba51dfffc28bb513979c585b745fb

  • SHA1

    b1abf39d05ea314dd1c879adbbeba0a41bbaee50

  • SHA256

    46ea512911313cf3bd454e1c80b67c55a1d126ef1ab10a1ed2b2eb5f3167ea10

  • SHA512

    1fb3bf72ddc222ea3c5728233f427f2c2c4d13dd864e5b68f5b6295b34ff26f39cf1c9349df0c866b2911eee373ee6de2d5a7f990b4fd3cfe8dfb74fe7132e05

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO2:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXj

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46ea512911313cf3bd454e1c80b67c55a1d126ef1ab10a1ed2b2eb5f3167ea10.exe
    "C:\Users\Admin\AppData\Local\Temp\46ea512911313cf3bd454e1c80b67c55a1d126ef1ab10a1ed2b2eb5f3167ea10.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\46EA51~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2584
  • C:\Windows\Debug\zskhost.exe
    C:\Windows\Debug\zskhost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:1248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Debug\zskhost.exe
          Filesize

          198KB

          MD5

          e9a862925a61ebce80100a15d233e562

          SHA1

          9e3e3a860776d0d4aaedfcf65ee3e2af1f8b35a9

          SHA256

          2aefd4c87d9b873a0cc606001af0dd0dab52ca9e8dee87eea2ccd4c0820d5f2d

          SHA512

          57eeca0c06416efe61cc1cad090396e2f128891b38125570e38d31981e2c796dd889d41e3dff19dc67a98978acb9e0512956cec14ab8213aabddce9498c73987

          Download Submit

        • C:\Windows\debug\zskhost.exe
          Filesize

          198KB

          MD5

          e9a862925a61ebce80100a15d233e562

          SHA1

          9e3e3a860776d0d4aaedfcf65ee3e2af1f8b35a9

          SHA256

          2aefd4c87d9b873a0cc606001af0dd0dab52ca9e8dee87eea2ccd4c0820d5f2d

          SHA512

          57eeca0c06416efe61cc1cad090396e2f128891b38125570e38d31981e2c796dd889d41e3dff19dc67a98978acb9e0512956cec14ab8213aabddce9498c73987

          Download Submit