Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 22:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acfe51f890292a8bcad98471196f3e19.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
acfe51f890292a8bcad98471196f3e19.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
acfe51f890292a8bcad98471196f3e19.exe
-
Size
142KB
-
MD5
acfe51f890292a8bcad98471196f3e19
-
SHA1
eddf66bc8aa43de72c07c15c81fa77e1675af1f9
-
SHA256
6726b59b8c296defe209c489c1dc4da272ee6d1cc83cbbbb6d80b5e94807227d
-
SHA512
65068ce8df23918f08935a1cdcdc58903fdd426de57903278bd351dd5dabec544e956a8af394ad40d4d5745febb4084aa6d7a860fbbafccac9908da4aab6cd45
-
SSDEEP
3072:pMc0mi9llxD9KQcJJ78IrDlq2RzFq247DCLTzltNSFN9b23y0PEOmuHw794rK9fK:p+bbD9KQcJJ78IrDlq2RzFq247DCLTzE
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zaook.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation acfe51f890292a8bcad98471196f3e19.exe -
Executes dropped EXE 1 IoCs
pid Process 4328 zaook.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaook = "C:\\Users\\Admin\\zaook.exe" zaook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe 4328 zaook.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5096 acfe51f890292a8bcad98471196f3e19.exe 4328 zaook.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 4328 5096 acfe51f890292a8bcad98471196f3e19.exe 94 PID 5096 wrote to memory of 4328 5096 acfe51f890292a8bcad98471196f3e19.exe 94 PID 5096 wrote to memory of 4328 5096 acfe51f890292a8bcad98471196f3e19.exe 94 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46 PID 4328 wrote to memory of 5096 4328 zaook.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\acfe51f890292a8bcad98471196f3e19.exe"C:\Users\Admin\AppData\Local\Temp\acfe51f890292a8bcad98471196f3e19.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\zaook.exe"C:\Users\Admin\zaook.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD56a665a7dc418c4b27b2096aa2eb62c6d
SHA137d38919254ee54d1784065705e51ba7e6fb5c23
SHA2569449f0e0b132133e67f15f4221dc92c8a3f1e7ba5143d7c2b3533b66cf8fd67b
SHA512a6c756ee9bcfe56eb1bb3738c78855bee5c9b356432a2480f147141323e2949de8864cb8279388acf2736539f3436cc3886753428ef74c8c4d153d240f4a01a0