e3a3ec2622ac1646bdec5482e48b33684a768e28ae46c5e5d794ae686bfc2c31

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70cd245320c157188cce63db27fac4dc.exe
Size

18KB
MD5

70cd245320c157188cce63db27fac4dc
SHA1

7ef40c3d68e2cf20c86ef344a63e538b43d3e789
SHA256

e3a3ec2622ac1646bdec5482e48b33684a768e28ae46c5e5d794ae686bfc2c31
SHA512

a2a40798e3924da875347af287203836730e0dfcaede0ee2cacbc61cc482ad563500885dbd76cc4be83e8b8d72962d649deaa577926f64b73a51df17387b6bda
SSDEEP

384:xVKKPwVJWUOoT6j5lisBIsxwUmmD2mWL1yQ3V3XQ1+rO:+P0gsBrDTaByQFo+rO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2988	70cd245320c157188cce63db27fac4dc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zgrjdx.dll.LoG	70cd245320c157188cce63db27fac4dc.exe
File created	C:\Windows\SysWOW64\zgrjdx.dll	70cd245320c157188cce63db27fac4dc.exe
File created	C:\Windows\SysWOW64\tf0	70cd245320c157188cce63db27fac4dc.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\ = "MICROSOFT"	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32	70cd245320c157188cce63db27fac4dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32\ = "C:\\Windows\\SysWow64\\zgrjdx.dll"	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION	70cd245320c157188cce63db27fac4dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS	70cd245320c157188cce63db27fac4dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER	70cd245320c157188cce63db27fac4dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32\ThreadingModel = "Apartment"	70cd245320c157188cce63db27fac4dc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	70cd245320c157188cce63db27fac4dc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2988	70cd245320c157188cce63db27fac4dc.exe
Token: SeRestorePrivilege	2988	70cd245320c157188cce63db27fac4dc.exe
Token: SeBackupPrivilege	2988	70cd245320c157188cce63db27fac4dc.exe
Token: SeRestorePrivilege	2988	70cd245320c157188cce63db27fac4dc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2988	70cd245320c157188cce63db27fac4dc.exe
2988	70cd245320c157188cce63db27fac4dc.exe
2988	70cd245320c157188cce63db27fac4dc.exe

C:\Users\Admin\AppData\Local\Temp\70cd245320c157188cce63db27fac4dc.exe
"C:\Users\Admin\AppData\Local\Temp\70cd245320c157188cce63db27fac4dc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\zgrjdx.dll

Filesize
217KB

MD5
e2463b61561e49a6f72bfaf800b36678

SHA1
0bb2a4ba37371cd36b5d41e9422200dfeca37e7c

SHA256
7f756481301c6af641a2e9b069842af08253d108d3ebe693af03ae0f95dcb5b3

SHA512
3174067e9fa77deca4a2be6631c7bb76fed8cd3329915abe9e36f30f3540c1c599b63e56ef1bdef683fe5dea9da326efc603b935a90dfe4b71faca2f07f49abf

Download Submit
memory/2988-2-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download
memory/2988-5-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download