4f228282f92c3621dc4a2b243e8a3ae36522bad053b0444d8651e129f2ce2c25

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe
Size

964KB
MD5

0d7a2e8faf344ed406ca9eaa0b9d3fc9
SHA1

5b30fb13384b1c94181244f500f6a8172e427bc3
SHA256

4f228282f92c3621dc4a2b243e8a3ae36522bad053b0444d8651e129f2ce2c25
SHA512

1e1c3014ccad39fa2ad645c40102081722e78acd4764115a73036dc85f00b4161332fa5d15112065c8a2bbc1377e67d282489978dde3a552f120824bd20d112f
SSDEEP

24576:Yrl4YBHXOjXXzOfyhCTL9bi2bVETSTH523r1sDJH:Yqi+zzOt9b/bVuYsb1sDJH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1104	zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe
File opened for modification	C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe
File created	C:\Windows\Editor.exe	zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1104	1160	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	23
PID 1160 wrote to memory of 1104	1160	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	23
PID 1160 wrote to memory of 1104	1160	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	23
PID 1160 wrote to memory of 1104	1160	0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe	23

C:\Users\Admin\AppData\Local\Temp\0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe
"C:\Users\Admin\AppData\Local\Temp\0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe
  "C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe

Filesize
434KB

MD5
89485193fa38cd1eae935897d678944d

SHA1
20d73b0b083190d8249a565eed252355744e5b9b

SHA256
b2166374b12fc777ad6df9ae68c8b3760117b8ca32862efbfeb46898dd118def

SHA512
2e7588e33fe9f3f7d26c29c717199c52b8624b8caeda913a5036a63d987c008f35a3dfc5e6af7e30fb19b267649577ce7c5c50bdbf49bc6108774acae1855b46

Download Submit
C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe

Filesize
354KB

MD5
ef1d0bb7a3fc2e24caa1c2704a76f26c

SHA1
8b94782ce1ca89d6a2a33c3a44b6c36b8eda399e

SHA256
6035f779e7d14684cd9663c35571f9a4ebd358c21fe51de93376880029a37a59

SHA512
60ec2a926c60deed3ad978467f962412de63765baf542ba2a6a661aa81b0c5c3f097d6bf8fa0a96d45f397560e46648c96103d4455ce92e3d1074272cbcff4d4

Download Submit
C:\Windows\zerub3_0d7a2e8faf344ed406ca9eaa0b9d3fc9.exe

Filesize
369KB

MD5
f3382a6c03bcb3cb91cd7bfa3cddf932

SHA1
d643b00dcb61075215aedb9e2aaf7bd17e12b353

SHA256
85077d505fd7bf149544db6e199685364dcb11f202b3a2e1c7a7dea2018d5234

SHA512
6fab1824bd92837c2bb67ba0e3f034bca6880eaa1a370d3541fece9981e18b0b2cdbe98148ae3df4e09cb8cc948bf7f5673a4815f319da7a3e58ec03a1d54794

Download Submit
memory/1104-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1104-10-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/1160-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1160-8-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download