Malware Analysis Report

2025-03-14 22:31

Sample ID 240304-rdzg1sbh8y
Target b250c62b3f1da424611acaf3ab5621ce
SHA256 4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb

Threat Level: Likely malicious

The file b250c62b3f1da424611acaf3ab5621ce was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies AppInit DLL entries

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:05

Reported

2024-03-04 14:07

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zfashlk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zfashlk.exe C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A
File opened for modification C:\Windows\SysWOW64\zfashlk.exe C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A
File created C:\Windows\SysWOW64\zfashl.dll C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe

"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"

C:\Windows\SysWOW64\zfashlk.exe

C:\Windows\system32\zfashlk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x000000000040E000-memory.dmp

\Windows\SysWOW64\zfashlk.exe

MD5 b250c62b3f1da424611acaf3ab5621ce
SHA1 a43ebdf943903fd5ac8d9cf890239218e6b5ce86
SHA256 4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
SHA512 5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf

memory/2240-4-0x0000000000240000-0x000000000024E000-memory.dmp

memory/2240-10-0x0000000000240000-0x000000000024E000-memory.dmp

memory/2040-12-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2240-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2240-16-0x0000000000240000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat

MD5 4abb5163230be467435a2827f3b68eb8
SHA1 5d2019d79979f71474b25f0aecae903a7d73b2ce
SHA256 284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7
SHA512 bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:05

Reported

2024-03-04 14:07

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zfashlk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zfashl.dll C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A
File created C:\Windows\SysWOW64\zfashlk.exe C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A
File opened for modification C:\Windows\SysWOW64\zfashlk.exe C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe

"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"

C:\Windows\SysWOW64\zfashlk.exe

C:\Windows\system32\zfashlk.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp

Files

memory/1632-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\SysWOW64\zfashlk.exe

MD5 b250c62b3f1da424611acaf3ab5621ce
SHA1 a43ebdf943903fd5ac8d9cf890239218e6b5ce86
SHA256 4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
SHA512 5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf

memory/1632-6-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4988-7-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat

MD5 4abb5163230be467435a2827f3b68eb8
SHA1 5d2019d79979f71474b25f0aecae903a7d73b2ce
SHA256 284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7
SHA512 bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377