3d44f17535a072608e4c7b7e5958ea8a63a9eff42d39d843510e2c1257c3f4be

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c13ca45edd1b1f0408ef264dbb1e6d3.exe
Size

13KB
MD5

8c13ca45edd1b1f0408ef264dbb1e6d3
SHA1

8ad8a700bd97fc5174ad59c3aa5d4c751231bf48
SHA256

3d44f17535a072608e4c7b7e5958ea8a63a9eff42d39d843510e2c1257c3f4be
SHA512

f068195d72ab23da865a5c5afd227a717e118590729d70c2affef6bfa5aecd1c3cfddc86264e084a44f2c643138284927046897968f5ba3ba80c3f18138e8194
SSDEEP

384:Bgs+2gjmu+kAQkjwY8igg+09sQyw0FeAEJM+:BgsBuAQkjHcLJFrEJ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	zesttnsk.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe
2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000012281-3.dat	upx
behavioral1/memory/2008-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2204-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zesttns.dll	8c13ca45edd1b1f0408ef264dbb1e6d3.exe
File created	C:\Windows\SysWOW64\zesttnsk.exe	8c13ca45edd1b1f0408ef264dbb1e6d3.exe
File opened for modification	C:\Windows\SysWOW64\zesttnsk.exe	8c13ca45edd1b1f0408ef264dbb1e6d3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2008	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	28
PID 2204 wrote to memory of 2008	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	28
PID 2204 wrote to memory of 2008	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	28
PID 2204 wrote to memory of 2008	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	28
PID 2204 wrote to memory of 2840	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	29
PID 2204 wrote to memory of 2840	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	29
PID 2204 wrote to memory of 2840	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	29
PID 2204 wrote to memory of 2840	2204	8c13ca45edd1b1f0408ef264dbb1e6d3.exe	29

C:\Users\Admin\AppData\Local\Temp\8c13ca45edd1b1f0408ef264dbb1e6d3.exe
"C:\Users\Admin\AppData\Local\Temp\8c13ca45edd1b1f0408ef264dbb1e6d3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\zesttnsk.exe
  C:\Windows\system32\zesttnsk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8c13ca45edd1b1f0408ef264dbb1e6d3.exe.bat
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c13ca45edd1b1f0408ef264dbb1e6d3.exe.bat

Filesize
182B

MD5
96042daa88f734ff688909dd660a3b53

SHA1
04c486fc0708dc5775be72737d47880c2e00abca

SHA256
09019ec781c28e5a8706fffaf1b76249c09409b3d2701a8cf0a6b3e789a666a8

SHA512
424f3c848f7df64d4c3477ab31a8022810369fb9c88c78f1657c5fa6d5acba11bdc54ad39c0f1bc289b2f03a847d2be8d90ccd3ab0cb169f43e91c496d631084

Download Submit
\Windows\SysWOW64\zesttnsk.exe

Filesize
13KB

MD5
8c13ca45edd1b1f0408ef264dbb1e6d3

SHA1
8ad8a700bd97fc5174ad59c3aa5d4c751231bf48

SHA256
3d44f17535a072608e4c7b7e5958ea8a63a9eff42d39d843510e2c1257c3f4be

SHA512
f068195d72ab23da865a5c5afd227a717e118590729d70c2affef6bfa5aecd1c3cfddc86264e084a44f2c643138284927046897968f5ba3ba80c3f18138e8194

Download Submit
memory/2008-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2204-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2204-10-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2204-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download