abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
Size

193KB
MD5

c86068c0a98b8af36c5385f540925e75
SHA1

1f896e48105ff8aff703eac447e890f3ea50c2fe
SHA256

abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd
SHA512

0cce4f67b77ef37ea6b48f352fae3a5f726f25172091cdf28597433039efe6d79d2914bb764b31a16c438603f5b083be4950ad522ced6ce76a7abad165a7fd3b
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOV:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	zskhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\zskhost.exe	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
File opened for modification	C:\Windows\Debug\zskhost.exe	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zskhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2108	2440	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	29
PID 2440 wrote to memory of 2108	2440	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	29
PID 2440 wrote to memory of 2108	2440	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	29
PID 2440 wrote to memory of 2108	2440	abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe	29

C:\Users\Admin\AppData\Local\Temp\abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe
"C:\Users\Admin\AppData\Local\Temp\abbbca8ae1d2e74dce6d71dffcaf6242aa1375ad764b7fa9905eab527a87d3cd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ABBBCA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2108

C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\zskhost.exe

Filesize
193KB

MD5
9d711707efe2cef22744ee5953b2136d

SHA1
03e1221b9c8c38fb07e4dff9544470412fec80f0

SHA256
2beec3eeedf504412a040e270d97bf164ef20e09dd4ae74a90702ad30caeea4f

SHA512
bb0588272a85357628d122c8268af4054e2406ac3c49673e2a62bab6b0d4d16a099d91db42f9bf2dedda333f49a856e4b770e5c8c54a1750e3cc35d799f6daf7

Download Submit
C:\Windows\debug\zskhost.exe

Filesize
193KB

MD5
9d711707efe2cef22744ee5953b2136d

SHA1
03e1221b9c8c38fb07e4dff9544470412fec80f0

SHA256
2beec3eeedf504412a040e270d97bf164ef20e09dd4ae74a90702ad30caeea4f

SHA512
bb0588272a85357628d122c8268af4054e2406ac3c49673e2a62bab6b0d4d16a099d91db42f9bf2dedda333f49a856e4b770e5c8c54a1750e3cc35d799f6daf7

Download Submit