Analysis Overview
SHA256
4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
Threat Level: Likely malicious
The file b250c62b3f1da424611acaf3ab5621ce was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Loads dropped DLL
UPX packed file
Deletes itself
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 14:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 14:05
Reported
2024-03-04 14:07
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies AppInit DLL entries
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\zfashlk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zfashlk.exe | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zfashlk.exe | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| File created | C:\Windows\SysWOW64\zfashl.dll | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe
"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"
C:\Windows\SysWOW64\zfashlk.exe
C:\Windows\system32\zfashlk.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat
Network
Files
memory/2240-0-0x0000000000400000-0x000000000040E000-memory.dmp
\Windows\SysWOW64\zfashlk.exe
| MD5 | b250c62b3f1da424611acaf3ab5621ce |
| SHA1 | a43ebdf943903fd5ac8d9cf890239218e6b5ce86 |
| SHA256 | 4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb |
| SHA512 | 5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf |
memory/2240-4-0x0000000000240000-0x000000000024E000-memory.dmp
memory/2240-10-0x0000000000240000-0x000000000024E000-memory.dmp
memory/2040-12-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2240-13-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2240-16-0x0000000000240000-0x000000000024E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat
| MD5 | 4abb5163230be467435a2827f3b68eb8 |
| SHA1 | 5d2019d79979f71474b25f0aecae903a7d73b2ce |
| SHA256 | 284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7 |
| SHA512 | bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 14:05
Reported
2024-03-04 14:07
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\zfashlk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zfashl.dll | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| File created | C:\Windows\SysWOW64\zfashlk.exe | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zfashlk.exe | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\zfashlk.exe |
| PID 1632 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\zfashlk.exe |
| PID 1632 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\zfashlk.exe |
| PID 1632 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1632 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1632 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe
"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"
C:\Windows\SysWOW64\zfashlk.exe
C:\Windows\system32\zfashlk.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
Files
memory/1632-0-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\SysWOW64\zfashlk.exe
| MD5 | b250c62b3f1da424611acaf3ab5621ce |
| SHA1 | a43ebdf943903fd5ac8d9cf890239218e6b5ce86 |
| SHA256 | 4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb |
| SHA512 | 5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf |
memory/1632-6-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4988-7-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat
| MD5 | 4abb5163230be467435a2827f3b68eb8 |
| SHA1 | 5d2019d79979f71474b25f0aecae903a7d73b2ce |
| SHA256 | 284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7 |
| SHA512 | bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377 |