Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2023 17:45
Static task
static1
Behavioral task
behavioral1
Sample
96A3EA4BC09BBA5437EF00C758924CAE.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
96A3EA4BC09BBA5437EF00C758924CAE.exe
Resource
win10v2004-20231127-en
General
-
Target
96A3EA4BC09BBA5437EF00C758924CAE.exe
-
Size
458KB
-
MD5
96a3ea4bc09bba5437ef00c758924cae
-
SHA1
0154b6d842f48eb715e11856d3c7f5e92dba9384
-
SHA256
5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a
-
SHA512
54cfb4dbffb1e0e0ccdd619af6521f353ee76f92b13557f1a0f521b8e0198637924a3168ec86b8b447070bd50b1d5af0c0a0c6d2ac4c4ca977e3a95459b837ab
-
SSDEEP
6144:tk5byxHPnZaCHWWjjnnhUNeX0BmHbHTLNMT9wRUMXFLpmEJyMQxVGGGGGGGGHGG3:5xvnZaCHW+nhUNQSwbHFMx0UQtx2b
Malware Config
Extracted
systembc
wprogs.top:4001
leadsoftware.top:4001
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription pid process target process PID 4940 set thread context of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exepid process 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription pid process Token: SeDebugPrivilege 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
96A3EA4BC09BBA5437EF00C758924CAE.exedescription pid process target process PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe PID 4940 wrote to memory of 5000 4940 96A3EA4BC09BBA5437EF00C758924CAE.exe 96A3EA4BC09BBA5437EF00C758924CAE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exeC:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe2⤵PID:5000