bd2aff4ec2752c15513eec67479facf4c76bade082079579d791f54e40ce07a2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f2c9ad4c55fa1bba772c417e6cc22a.exe
Size

194KB
MD5

b4f2c9ad4c55fa1bba772c417e6cc22a
SHA1

1f4a882e22211b5000dd3684e9dd431f8b7da1b6
SHA256

bd2aff4ec2752c15513eec67479facf4c76bade082079579d791f54e40ce07a2
SHA512

7e0c98e507d3ccb69ac3f8df115bf6f603b5045a3bd358d26d0a0e12525fae65fe092aa476fd6f24bdb3c70553099472faae704851e56254d97ca5cd60fd734b
SSDEEP

6144:FgTc//////Eul3ziM0kiTwuYV60DrpovHmIb:Yc//////Vz+dYV6ep+

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231f3-13.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	ZT_Õ÷Í¾.exe

Executes dropped EXE 2 IoCs

pid	Process
3896	zthjmailaji.exe
4532	ZT_Õ÷Í¾.exe

Loads dropped DLL 2 IoCs

pid	Process
4532	ZT_Õ÷Í¾.exe
3896	zthjmailaji.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231eb-6.dat	upx
behavioral2/memory/4532-9-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x00070000000231f3-13.dat	upx
behavioral2/memory/4532-16-0x0000000010000000-0x0000000010013000-memory.dmp	upx
behavioral2/memory/3896-19-0x0000000010000000-0x0000000010013000-memory.dmp	upx
behavioral2/memory/4532-20-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4532-21-0x0000000010000000-0x0000000010013000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FsmBY3kmWnAG5gRbwGgU.inf	ZT_Õ÷Í¾.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\BcHCMJEEXFxaCm3q.Ttf	ZT_Õ÷Í¾.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}\InprocServer32	ZT_Õ÷Í¾.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}\InprocServer32\ = "C:\\Windows\\SysWow64\\FsmBY3kmWnAG5gRbwGgU.inf"	ZT_Õ÷Í¾.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}\InprocServer32\ThreadingModel = "Apartment"	ZT_Õ÷Í¾.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}\InprocServer32	ZT_Õ÷Í¾.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ZT_Õ÷Í¾.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID	ZT_Õ÷Í¾.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}	ZT_Õ÷Í¾.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4532	ZT_Õ÷Í¾.exe
4532	ZT_Õ÷Í¾.exe
4532	ZT_Õ÷Í¾.exe
4532	ZT_Õ÷Í¾.exe
4532	ZT_Õ÷Í¾.exe
4532	ZT_Õ÷Í¾.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe
Token: SeDebugPrivilege	4532	ZT_Õ÷Í¾.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4532	ZT_Õ÷Í¾.exe
3896	zthjmailaji.exe
3896	zthjmailaji.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4536	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	88
PID 1692 wrote to memory of 4536	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	88
PID 1692 wrote to memory of 4536	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	88
PID 1692 wrote to memory of 1488	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	89
PID 1692 wrote to memory of 1488	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	89
PID 1692 wrote to memory of 1488	1692	b4f2c9ad4c55fa1bba772c417e6cc22a.exe	89
PID 4536 wrote to memory of 3896	4536	cmd.exe	92
PID 4536 wrote to memory of 3896	4536	cmd.exe	92
PID 4536 wrote to memory of 3896	4536	cmd.exe	92
PID 1488 wrote to memory of 4532	1488	cmd.exe	93
PID 1488 wrote to memory of 4532	1488	cmd.exe	93
PID 1488 wrote to memory of 4532	1488	cmd.exe	93
PID 4532 wrote to memory of 3996	4532	ZT_Õ÷Í¾.exe	97
PID 4532 wrote to memory of 3996	4532	ZT_Õ÷Í¾.exe	97
PID 4532 wrote to memory of 3996	4532	ZT_Õ÷Í¾.exe	97

C:\Users\Admin\AppData\Local\Temp\b4f2c9ad4c55fa1bba772c417e6cc22a.exe
"C:\Users\Admin\AppData\Local\Temp\b4f2c9ad4c55fa1bba772c417e6cc22a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\zthjmailaji.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\zthjmailaji.exe
    C:\Users\Admin\AppData\Local\Temp\zthjmailaji.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ZT_Õ÷Í¾.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\ZT_Õ÷Í¾.exe
    C:\Users\Admin\AppData\Local\Temp\ZT_Õ÷Í¾.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ZT_~1.EXE >> NUL
      4⤵
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZT_Õ÷Í¾.exe

Filesize
27KB

MD5
fb9f7087769f630c92298233f23309e9

SHA1
c479b728c45b5f54c00174027fcbb5bb5d73d73c

SHA256
88de9240a3bb776fa1fdb829fd1685fd77eb4158119db2824c28aa9a4af41a4c

SHA512
7a5de291e403c85cc373e7f32af515a5a834197697434fc37d9e13bdcab6903bf6c10d7a5e31dbddd5231d4934e7f77e5814dab72ac80baf87fb56f04229baac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zthjmailaji.exe

Filesize
131KB

MD5
faf6f9367d10f3bae2773c8125ea9953

SHA1
3239f35ea7bc4e68a6836f23258ead3a0627b9d5

SHA256
21f0bbf182fb08dc66c2267eaae042d05cb2bb8928004e62cb97eba4c8293244

SHA512
f949615246728f3755632095b9c4bae1d623b697a0556539bb2072c81526d76b18e6b46161d151345aca55f2d4a20e261390314ee617e075f0fa14c4000c4f5e

Download Submit
C:\Windows\SysWOW64\FsmBY3kmWnAG5gRbwGgU.inf

Filesize
20KB

MD5
9b2c8eb96f1a63e337605b9b271498aa

SHA1
8a67d4da6872db2a349f55098730b9247ab520d0

SHA256
0484807d202e45e8f4470973e4e0bc9b6466e8509a370514bb7300d97925317e

SHA512
0a410f19ee55be0392a8bfd34d73aa579a68fbcd84313def24c6280c99bbd33b6eaf534f1828eaa978622f176e8363dd4167165c97383a94a4829006284ac8bc

Download Submit
memory/1692-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3896-19-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3896-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4532-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-16-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4532-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-21-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download