Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 10:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1642f909ffc4d2a43ac7e3e0507abac1.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1642f909ffc4d2a43ac7e3e0507abac1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
1642f909ffc4d2a43ac7e3e0507abac1.exe
-
Size
432KB
-
MD5
1642f909ffc4d2a43ac7e3e0507abac1
-
SHA1
7014408c7dbfe19d4ff47402d8f2c54e9c2cdaf3
-
SHA256
19c2882db5ef1d03925023db4ae8f13dd5da577d84a1a578ec7ef9ba495ee1c7
-
SHA512
a5f40aa29b3917d11a26d277f3111e3803b7a5b4c9e743ae3ed7c7fe9982acb7486c188c22a3d910a52eda034a50afaed946fd009e75fd69660e24f390f8c2e8
-
SSDEEP
6144:61V3dIgi71nAv/szQRzf4Zj3JVyN/Y53fZ6ZsVb7:4V3dInSssRWjPy9Y53B6A7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1642f909ffc4d2a43ac7e3e0507abac1.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cizoc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 1642f909ffc4d2a43ac7e3e0507abac1.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 cizoc.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /a" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /o" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /u" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /p" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /e" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /b" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /f" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /c" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /m" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /x" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /n" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /t" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /d" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /k" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /v" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /l" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /i" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /r" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /s" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /g" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /w" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /q" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /y" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /z" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /h" cizoc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /n" 1642f909ffc4d2a43ac7e3e0507abac1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cizoc = "C:\\Users\\Admin\\cizoc.exe /j" cizoc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe 2896 cizoc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 2896 cizoc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1004 wrote to memory of 2896 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 92 PID 1004 wrote to memory of 2896 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 92 PID 1004 wrote to memory of 2896 1004 1642f909ffc4d2a43ac7e3e0507abac1.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1642f909ffc4d2a43ac7e3e0507abac1.exe"C:\Users\Admin\AppData\Local\Temp\1642f909ffc4d2a43ac7e3e0507abac1.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\cizoc.exe"C:\Users\Admin\cizoc.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD57fc21fac20202e09780362ec3c5221a2
SHA14e3b761816f4d62820ffca8840d68cad881edbf2
SHA2562982bdbdeb969ad25f32051705679a81b0439ef158dc02610e6150466443d052
SHA512a0ac477b086ade5d0166626604c4dfb5dd94a6ca32233b197fed1d48551aca7db9ecb6df260e8255dfd8add14177ddcbf715487e8770c9a1bdc6c32f2c99e988
-
Filesize
386KB
MD5ba85a8d9458e059e234998c7927ce944
SHA18a8f284a0d01381e76528db6c1c11ba6791ec42a
SHA256563cf9be219847cefd83d489258939b540beffed752dc8ee71fc93d13e05f17c
SHA51246f0063638d4bfa7f197d1f6fbf2d3d9ae3b88c84c91155a8c5cc2df0975f8c31ab3f9273892c80176746459eff649ddcd258b7d0269087ee9fece848bad0f0c