Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2023 17:46
Static task
static1
Behavioral task
behavioral1
Sample
96A3EA4BC09BBA5437EF00C758924CAE.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
96A3EA4BC09BBA5437EF00C758924CAE.exe
Resource
win10v2004-20231130-en
General
-
Target
96A3EA4BC09BBA5437EF00C758924CAE.exe
-
Size
458KB
-
MD5
96a3ea4bc09bba5437ef00c758924cae
-
SHA1
0154b6d842f48eb715e11856d3c7f5e92dba9384
-
SHA256
5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a
-
SHA512
54cfb4dbffb1e0e0ccdd619af6521f353ee76f92b13557f1a0f521b8e0198637924a3168ec86b8b447070bd50b1d5af0c0a0c6d2ac4c4ca977e3a95459b837ab
-
SSDEEP
6144:tk5byxHPnZaCHWWjjnnhUNeX0BmHbHTLNMT9wRUMXFLpmEJyMQxVGGGGGGGGHGG3:5xvnZaCHW+nhUNQSwbHFMx0UQtx2b
Malware Config
Extracted
systembc
wprogs.top:4001
leadsoftware.top:4001
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription pid process target process PID 4376 set thread context of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exepid process 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exesvchost.exedescription pid process Token: SeDebugPrivilege 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe Token: SeManageVolumePrivilege 2412 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription pid process target process PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4376 wrote to memory of 2264 4376 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exeC:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe2⤵PID:2264
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412