16be09859cb808f49ad5354878b342ce20ec4bdb86517e7e2b100e89dc626ed7

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01aa020c133ddff8834e184fa2ced397.exe
Size

124KB
MD5

01aa020c133ddff8834e184fa2ced397
SHA1

19db8f0440b414ab62561aea89ab7d18479813a9
SHA256

16be09859cb808f49ad5354878b342ce20ec4bdb86517e7e2b100e89dc626ed7
SHA512

f62c196d80d8f3f6c321adaea94c7fd6782585849c0977a2292648942e617b879b70abf186249aebae25a70b55107b96f0b854f890d547012ba4db087f60d259
SSDEEP

1536:2eJ9pKApeU0GgAYu0P1kNmwldCMhdu8KWP/nTn8nBP9VewNeG0h/l:r9pR0U0GgA898t

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	01aa020c133ddff8834e184fa2ced397.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zulan.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	zulan.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	01aa020c133ddff8834e184fa2ced397.exe
2188	01aa020c133ddff8834e184fa2ced397.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /H"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /c"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /q"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /I"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /C"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /W"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /Y"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /B"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /Q"	01aa020c133ddff8834e184fa2ced397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /V"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /d"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /T"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /K"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /O"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /S"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /u"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /n"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /A"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /z"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /X"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /M"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /U"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /o"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /v"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /Z"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /r"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /N"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /x"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /Q"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /L"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /g"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /k"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /D"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /l"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /G"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /b"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /P"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /F"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /h"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /E"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /i"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /R"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /s"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /t"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /y"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /p"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /f"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /w"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /e"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /j"	zulan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\zulan = "C:\\Users\\Admin\\zulan.exe /J"	zulan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	01aa020c133ddff8834e184fa2ced397.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe
2384	zulan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2188	01aa020c133ddff8834e184fa2ced397.exe
2384	zulan.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2384	2188	01aa020c133ddff8834e184fa2ced397.exe	28
PID 2188 wrote to memory of 2384	2188	01aa020c133ddff8834e184fa2ced397.exe	28
PID 2188 wrote to memory of 2384	2188	01aa020c133ddff8834e184fa2ced397.exe	28
PID 2188 wrote to memory of 2384	2188	01aa020c133ddff8834e184fa2ced397.exe	28

C:\Users\Admin\AppData\Local\Temp\01aa020c133ddff8834e184fa2ced397.exe
"C:\Users\Admin\AppData\Local\Temp\01aa020c133ddff8834e184fa2ced397.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\zulan.exe
  "C:\Users\Admin\zulan.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zulan.exe

Filesize
124KB

MD5
d019b9e01bd452c850024b72b8e462fd

SHA1
88bd2517eb4b9aec278ea2684a0c4638c73dc7c9

SHA256
6af575b089008153f2b787f3ee6d464c8bbee36362857890aeb465639206e022

SHA512
9e84176f97b218991834ae6b8052906ec7c0fa5fc4587c1f24afaa58aafdc226c47c6d764e4f57d83987df6c4e72b3d0592b3113231b42c986ab5dc889a8e2cc

Download Submit
C:\Users\Admin\zulan.exe

Filesize
93KB

MD5
15f3be00fc6247f6e8ebbfd9793d894d

SHA1
cc39d416314ef8ced72248053a61973b3c3c5807

SHA256
7fa6620b920d7fdee02d91b9ebc4028cdf6f57f7110d53fb2b9dbe0570dedbbe

SHA512
59f626cd7544dd88e34b251d665620a209bbc8c62c5a5c81ba93a350685dae6f29c357058d5fa2c55c2f13177594c36ee44f4acbb0e3ef92c74f962aafe32480

Download Submit