a7b910428519f22a5c701b936b7e81b3c3ec2e52f8ccb90a650a41e9c902e315

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723eee3973a2f3bc6a1251fb187b3420.exe
Size

14KB
MD5

723eee3973a2f3bc6a1251fb187b3420
SHA1

e7f8b72e1b091ca2d93c3778810f1f9794f62b1d
SHA256

a7b910428519f22a5c701b936b7e81b3c3ec2e52f8ccb90a650a41e9c902e315
SHA512

1cb01ba0dce70bcce17669976580a3dda232d7d19d7aed18a7c8f79003aa705ecaea0fd5e3ce26b8ff50cac7585fa9ea2995ec23443d4a4aefe8ea42e8446c93
SSDEEP

384:VvI2g4LSz8mtS9ooqPmOpDa3qcEbIfKPHaiO+TelB2:VvI2s4KS6oqPnpDa3iAKzO+TwB

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	zongximk.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	723eee3973a2f3bc6a1251fb187b3420.exe
2548	723eee3973a2f3bc6a1251fb187b3420.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000c000000013144-3.dat	upx
behavioral1/memory/2548-4-0x0000000000230000-0x0000000000240000-memory.dmp	upx
behavioral1/memory/2484-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2548-12-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2484-13-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zongximk.exe	723eee3973a2f3bc6a1251fb187b3420.exe
File created	C:\Windows\SysWOW64\zongxim.dll	723eee3973a2f3bc6a1251fb187b3420.exe
File created	C:\Windows\SysWOW64\zongximk.exe	723eee3973a2f3bc6a1251fb187b3420.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2484	2548	723eee3973a2f3bc6a1251fb187b3420.exe	28
PID 2548 wrote to memory of 2484	2548	723eee3973a2f3bc6a1251fb187b3420.exe	28
PID 2548 wrote to memory of 2484	2548	723eee3973a2f3bc6a1251fb187b3420.exe	28
PID 2548 wrote to memory of 2484	2548	723eee3973a2f3bc6a1251fb187b3420.exe	28
PID 2548 wrote to memory of 2820	2548	723eee3973a2f3bc6a1251fb187b3420.exe	29
PID 2548 wrote to memory of 2820	2548	723eee3973a2f3bc6a1251fb187b3420.exe	29
PID 2548 wrote to memory of 2820	2548	723eee3973a2f3bc6a1251fb187b3420.exe	29
PID 2548 wrote to memory of 2820	2548	723eee3973a2f3bc6a1251fb187b3420.exe	29

C:\Users\Admin\AppData\Local\Temp\723eee3973a2f3bc6a1251fb187b3420.exe
"C:\Users\Admin\AppData\Local\Temp\723eee3973a2f3bc6a1251fb187b3420.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\zongximk.exe
  C:\Windows\system32\zongximk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\723eee3973a2f3bc6a1251fb187b3420.exe.bat
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\723eee3973a2f3bc6a1251fb187b3420.exe.bat

Filesize
182B

MD5
53b46c15b8824cd09e6ac0276eb797a9

SHA1
83a7bde2bc40fd89070f35bda7b00f86ec08de45

SHA256
f66392aa6dff214416b9cbf0697cb5c775c9ea63f29e5c62ee1dc0f4a7674250

SHA512
8b6950f8954529ab91f01f7d6cef84d4130bf14589eecdca9951e344e0404c942305e2326aecfd16a0ad49ed2fed0a1a46fde6ff6e677dcb4e41fba7d6d9a47b

Download Submit
\Windows\SysWOW64\zongximk.exe

Filesize
14KB

MD5
723eee3973a2f3bc6a1251fb187b3420

SHA1
e7f8b72e1b091ca2d93c3778810f1f9794f62b1d

SHA256
a7b910428519f22a5c701b936b7e81b3c3ec2e52f8ccb90a650a41e9c902e315

SHA512
1cb01ba0dce70bcce17669976580a3dda232d7d19d7aed18a7c8f79003aa705ecaea0fd5e3ce26b8ff50cac7585fa9ea2995ec23443d4a4aefe8ea42e8446c93

Download Submit
memory/2484-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2484-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2548-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2548-4-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2548-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2548-16-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download