34e595b83b7bb8cb87366da963513f3fab248e366174a0753d55f126c08e6e58

Analysis

max time kernel
32s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022e71686224da861ba81730c15ef2b8.exe
Size

236KB
MD5

022e71686224da861ba81730c15ef2b8
SHA1

7e548b7d86d51ecdd07a9947bece222893592843
SHA256

34e595b83b7bb8cb87366da963513f3fab248e366174a0753d55f126c08e6e58
SHA512

712eaaaed70e0beb90ef4e4ce1dc30bb4e830caf2585d4242aa8ba0f9edee2080496821c43a226dab0887d802e8511be3a49889634a5624a7fe618202cae3db9
SSDEEP

3072:D6VlhsJ0JsvyMZeIT51B8u0gWCyiHCUPqgxh:dSJuyMwItf8u0gWCyiHCm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	022e71686224da861ba81730c15ef2b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zuaak.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	022e71686224da861ba81730c15ef2b8.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	zuaak.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuaak = "C:\\Users\\Admin\\zuaak.exe /u"	022e71686224da861ba81730c15ef2b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuaak = "C:\\Users\\Admin\\zuaak.exe /q"	zuaak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	022e71686224da861ba81730c15ef2b8.exe
2736	022e71686224da861ba81730c15ef2b8.exe
4636	zuaak.exe
4636	zuaak.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	022e71686224da861ba81730c15ef2b8.exe
4636	zuaak.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4636	2736	022e71686224da861ba81730c15ef2b8.exe	95
PID 2736 wrote to memory of 4636	2736	022e71686224da861ba81730c15ef2b8.exe	95
PID 2736 wrote to memory of 4636	2736	022e71686224da861ba81730c15ef2b8.exe	95

C:\Users\Admin\AppData\Local\Temp\022e71686224da861ba81730c15ef2b8.exe
"C:\Users\Admin\AppData\Local\Temp\022e71686224da861ba81730c15ef2b8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\zuaak.exe
  "C:\Users\Admin\zuaak.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zuaak.exe

Filesize
92KB

MD5
ce7ac8e9f79b1aa2132d446c1cd3fce2

SHA1
3bc4bdba9f45adea9ed49fdadb9a04956974f56a

SHA256
d7276d6a04c5aaedd47dcae5ce2db529d40fc9bcbbab7ed9f4b05dd165df87fc

SHA512
7a94683ff139fb509ecce53bac700e285e0d7172bea68e99abee3df9767aef3a7f779ce54d707e67da008818eff6b1a6fff2ebf2b07d274522cdb6ecc6a0756e

Download Submit
C:\Users\Admin\zuaak.exe

Filesize
170KB

MD5
5be1bc436bff9c88f1e78618d025098c

SHA1
c415659fa2c10b8f4ff922ed1ab8b62272f1e5eb

SHA256
5510314209eafe330e7a57c54fa13798c63ad763479218896cb2feadf51ff160

SHA512
b23ec1fbc8b4559c094b6eeaca5d0b79f7c230539ac95a75ad44c5580e3914e513c18cb28add64130ac424b748256836c1c16c0c946fda16edffdd2f5d68cea9

Download Submit
C:\Users\Admin\zuaak.exe

Filesize
236KB

MD5
44738c76153b5b86363534c0f09dcf66

SHA1
0091b4c24ee3f4bbab438ed297e53c7a3c98363c

SHA256
b5d2e0b3c0415d3bb6c69108d8148fe67dbace5ba69d996e2870d80485fb867d

SHA512
cbdb7a112d5898fc627b1da7f6bfa5f13d867603222c77f1a9723909d15f5da9b9fde370d2683b36c6fc6bf6f91e29d0dc938fd15c1e739f81b0d0b556661b9f

Download Submit
memory/2736-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download