09eb2191d35b731870fb90f5d1ffbbf5ce229eaab39a2dbc48d750d7d3629f90

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f7a45abaa9c9bbec98ae27c1586528.exe
Size

317KB
MD5

14f7a45abaa9c9bbec98ae27c1586528
SHA1

3f55757cf9f7b423393858bedb0abce32ccf5fe7
SHA256

09eb2191d35b731870fb90f5d1ffbbf5ce229eaab39a2dbc48d750d7d3629f90
SHA512

2fec52bd305bf76d719aed25b4fe8163e2bbcb1b0a9c8a2a82c6939242452fea506cb8bb6f8db920f32cff3e5604f047921fd96e12aecb64f187b73e220821a9
SSDEEP

6144:xSmQMfkqcSVLHFV9vBMaYyJzgkCST6p282JFSi:YqLVLHFb6Czg7ST6p2tPSi

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	ilzuko.exe
2776	ilzuko.exe

Loads dropped DLL 3 IoCs

pid	Process
2172	14f7a45abaa9c9bbec98ae27c1586528.exe
2172	14f7a45abaa9c9bbec98ae27c1586528.exe
2004	ilzuko.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6F76ACC8-CEF3-AD4E-FF1F-3295E8F41188} = "C:\\Users\\Admin\\AppData\\Roaming\\Elaza\\ilzuko.exe"	ilzuko.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 2004 set thread context of 2776	2004	ilzuko.exe	32

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe
2776	ilzuko.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 1824 wrote to memory of 2172	1824	14f7a45abaa9c9bbec98ae27c1586528.exe	28
PID 2172 wrote to memory of 2004	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	29
PID 2172 wrote to memory of 2004	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	29
PID 2172 wrote to memory of 2004	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	29
PID 2172 wrote to memory of 2004	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	29
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2004 wrote to memory of 2776	2004	ilzuko.exe	32
PID 2776 wrote to memory of 1120	2776	ilzuko.exe	20
PID 2776 wrote to memory of 1120	2776	ilzuko.exe	20
PID 2776 wrote to memory of 1120	2776	ilzuko.exe	20
PID 2776 wrote to memory of 1120	2776	ilzuko.exe	20
PID 2776 wrote to memory of 1120	2776	ilzuko.exe	20
PID 2776 wrote to memory of 1212	2776	ilzuko.exe	19
PID 2776 wrote to memory of 1212	2776	ilzuko.exe	19
PID 2776 wrote to memory of 1212	2776	ilzuko.exe	19
PID 2776 wrote to memory of 1212	2776	ilzuko.exe	19
PID 2776 wrote to memory of 1212	2776	ilzuko.exe	19
PID 2776 wrote to memory of 1264	2776	ilzuko.exe	18
PID 2776 wrote to memory of 1264	2776	ilzuko.exe	18
PID 2776 wrote to memory of 1264	2776	ilzuko.exe	18
PID 2172 wrote to memory of 2608	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	30
PID 2172 wrote to memory of 2608	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	30
PID 2172 wrote to memory of 2608	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	30
PID 2172 wrote to memory of 2608	2172	14f7a45abaa9c9bbec98ae27c1586528.exe	30
PID 2776 wrote to memory of 1264	2776	ilzuko.exe	18
PID 2776 wrote to memory of 1264	2776	ilzuko.exe	18
PID 2776 wrote to memory of 1520	2776	ilzuko.exe	17
PID 2776 wrote to memory of 1520	2776	ilzuko.exe	17
PID 2776 wrote to memory of 1520	2776	ilzuko.exe	17
PID 2776 wrote to memory of 1520	2776	ilzuko.exe	17
PID 2776 wrote to memory of 1520	2776	ilzuko.exe	17
PID 2776 wrote to memory of 2608	2776	ilzuko.exe	30

C:\Users\Admin\AppData\Local\Temp\14f7a45abaa9c9bbec98ae27c1586528.exe
"C:\Users\Admin\AppData\Local\Temp\14f7a45abaa9c9bbec98ae27c1586528.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\14f7a45abaa9c9bbec98ae27c1586528.exe
  "C:\Users\Admin\AppData\Local\Temp\14f7a45abaa9c9bbec98ae27c1586528.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe
    "C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe
      "C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp892b37b2.bat"
    3⤵
    - Deletes itself
    PID:2608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1520

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp892b37b2.bat

Filesize
243B

MD5
e61f3f071430fd3704d08071ddba4044

SHA1
493d7496b0b961d06b940550c532460aad5b4813

SHA256
0d6cc81966b8c6b043784ebcaad4c70a819af1407079af4f3d08aa688ac36611

SHA512
1bcd9c1a8452f3f768f12fc635ff390bdb2fdc094542c4619ac5f2875d76215476a03c9c8ae50e0b08a5c22df02cfee473bfbeb7571c8ed9aba616851a186d4c

Download Submit
C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe

Filesize
317KB

MD5
d9dac1c676eb361f64c92b8958c02957

SHA1
b9092a26fd454a253e7259e665f14a780d537332

SHA256
810a8312742fc0aa340671a7dbd0430264fe633ad28cce3d9f90f7caef189836

SHA512
ef2a4968ba9ecff920e3b26966aba200b09730d0850b2250ed0fdd1c1ad930f78e24ffdc3fc36585833697e08e725dbc698ab5f8d55bd2bb4e82c466d6f17351

Download Submit
C:\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe

Filesize
231KB

MD5
a9e2761c0c11eedf88f9eaadceb1b83c

SHA1
780103f3782d5da0777494dee2d82b8696a2399a

SHA256
92ae9f7e6eda44a3f0f52a614174bb021c19899f370793e1606ca548d6c2d12f

SHA512
1da8db7aeb8047c7ad13487b10d791c42929b755b75d3ea3d22ee67ec513cc04bbaa94827b76dbc0bb18bfaf832a6164e73fb9e6c6dc00fc2b968bff1869d593

Download Submit
\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe

Filesize
62KB

MD5
d5ad7cc0779f883a190a7281f368286f

SHA1
58ccb300563c867766cb26b6abdc5ab4d14e668f

SHA256
adcaeeffc3592f9b9dc3da90f18abcb56b95fcf5c51552576e3ccfb049bf4139

SHA512
b2168fa9f58ea7a4856cf7c096689d9dc2c25ef302f2e243586b1b4eee281c0c81a7341aec76611bd378d1450f49e8ce0db7a9479225100d81590ca70f643e94

Download Submit
\Users\Admin\AppData\Roaming\Elaza\ilzuko.exe

Filesize
254KB

MD5
e2146cb6c9c8226a8d260b816760bee3

SHA1
513ff33ef265bfac4d96fbd888bdd2c61079e1a9

SHA256
3e2562bc4126751b55b866af2c69e325f91d373d8095fe9644096a12b850c1dc

SHA512
6a5b434013baa3ac4b47f2337fec146dd0e247d906414647d595acdd58c406a318d40de6c4f5280f307cd7fb3bc65090624843ddf3a0be5179ba56722f0e88a3

Download Submit
memory/1120-52-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1120-53-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1120-54-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1120-55-0x0000000001DA0000-0x0000000001DE4000-memory.dmp

Filesize
272KB

Download
memory/1212-57-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1212-60-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1212-59-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1212-58-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1264-64-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1264-63-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1264-67-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1264-62-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1520-69-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1520-72-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1520-70-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1520-71-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1824-3-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/1824-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1824-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2004-46-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2004-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2004-36-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/2172-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-29-0x0000000000390000-0x00000000003E9000-memory.dmp

Filesize
356KB

Download
memory/2172-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download