Analysis
-
max time kernel
97s -
max time network
135s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/02/2024, 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
zig.exe
Resource
win11-20240214-en
4 signatures
150 seconds
General
-
Target
zig.exe
-
Size
148.8MB
-
MD5
d3b675d9dbe08f2994b9e01be8f4bc8d
-
SHA1
8317e3d2e62839f99d9bb117eaea5913ca37b761
-
SHA256
d3ecb4c98f6639e57ddca147f4008437ee07558c969b1c3dc62697ffb06ac94e
-
SHA512
bf7947500bec21bfe9655dd08f274114784e8a314091bba458d6667248e70fdfd0b63be95ab3ee5da39a4b01148d2e4cb38a42960f484f2992d18ae1c989168e
-
SSDEEP
786432:7Ixf4iy9nUjOwC1am1+IyuTHZFHORaRnVhzkIIGCsYOmw6uEJheu8DvODn:0d4luOJ1am1+Iyu7ZNVSIqOmw0he
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 404 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 404 POWERPNT.EXE 404 POWERPNT.EXE 404 POWERPNT.EXE 404 POWERPNT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\zig.exe"C:\Users\Admin\AppData\Local\Temp\zig.exe"1⤵PID:1952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2228
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\WriteWait.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:404