Analysis Overview
SHA256
5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a
Threat Level: Known bad
The file 96A3EA4BC09BBA5437EF00C758924CAE.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-09 17:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-09 17:48
Reported
2023-12-09 17:50
Platform
win7-20231023-en
Max time kernel
118s
Max time network
136s
Command Line
Signatures
SystemBC
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2020 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wprogs.top | udp |
| US | 5.161.74.235:4001 | wprogs.top | tcp |
Files
memory/2020-0-0x0000000000370000-0x00000000003E4000-memory.dmp
memory/2020-1-0x0000000074600000-0x0000000074CEE000-memory.dmp
memory/2020-2-0x0000000001EA0000-0x0000000001EE0000-memory.dmp
memory/2020-3-0x0000000001E60000-0x0000000001EA6000-memory.dmp
memory/2020-4-0x0000000003FF0000-0x000000000401E000-memory.dmp
memory/2020-5-0x0000000004020000-0x000000000404E000-memory.dmp
memory/2020-6-0x0000000004570000-0x00000000045BC000-memory.dmp
memory/2600-8-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2600-10-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2600-12-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2600-14-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2600-16-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2600-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-20-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2020-23-0x0000000074600000-0x0000000074CEE000-memory.dmp
memory/2600-22-0x0000000000400000-0x0000000000407000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-09 17:48
Reported
2023-12-09 17:50
Platform
win10v2004-20231127-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
SystemBC
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1648 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.117.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.99.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.255.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wprogs.top | udp |
| US | 5.161.74.235:4001 | wprogs.top | tcp |
| US | 8.8.8.8:53 | 235.74.161.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/1648-0-0x0000000074DE0000-0x0000000075590000-memory.dmp
memory/1648-1-0x0000000000B30000-0x0000000000BA4000-memory.dmp
memory/1648-2-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/1648-3-0x0000000005480000-0x0000000005512000-memory.dmp
memory/1648-4-0x0000000005430000-0x0000000005440000-memory.dmp
memory/1648-5-0x0000000005520000-0x000000000552A000-memory.dmp
memory/1648-6-0x00000000055A0000-0x00000000055E6000-memory.dmp
memory/1648-7-0x0000000005700000-0x000000000572E000-memory.dmp
memory/1648-8-0x0000000005730000-0x000000000575E000-memory.dmp
memory/1648-9-0x00000000057A0000-0x00000000057EC000-memory.dmp
memory/1648-10-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/1548-12-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1548-15-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1648-16-0x0000000074DE0000-0x0000000075590000-memory.dmp
memory/1644-17-0x000001F8FA640000-0x000001F8FA650000-memory.dmp
memory/1644-33-0x000001F8FA740000-0x000001F8FA750000-memory.dmp
memory/1644-49-0x000001F8FED20000-0x000001F8FED21000-memory.dmp
memory/1644-50-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-51-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-52-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-53-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-54-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-55-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-56-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-57-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-58-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-59-0x000001F8FED40000-0x000001F8FED41000-memory.dmp
memory/1644-60-0x000001F8FE970000-0x000001F8FE971000-memory.dmp
memory/1644-61-0x000001F8FE960000-0x000001F8FE961000-memory.dmp
memory/1644-63-0x000001F8FE970000-0x000001F8FE971000-memory.dmp
memory/1644-66-0x000001F8FE960000-0x000001F8FE961000-memory.dmp
memory/1644-69-0x000001F8FE8A0000-0x000001F8FE8A1000-memory.dmp
memory/1644-81-0x000001F8FEAA0000-0x000001F8FEAA1000-memory.dmp
memory/1644-83-0x000001F8FEAB0000-0x000001F8FEAB1000-memory.dmp
memory/1644-84-0x000001F8FEAB0000-0x000001F8FEAB1000-memory.dmp
memory/1644-85-0x000001F8FEBC0000-0x000001F8FEBC1000-memory.dmp