ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe
Size

51KB
MD5

279605a755ef3997a8dab583ba033e07
SHA1

646a051c86901564f5c46c34d1b486f7f603712c
SHA256

ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5
SHA512

a6a1fe22a93706971689bba0f7c843b8c2e9b0696d2be2da59c7aa903831b07e0aa116b432bcda1f7dfa701c5a471843d53d844a593abd4d8c5edbc6ff4656bf
SSDEEP

1536:lvQoLHjw2iWPKEq7OyX60MXXXcFFFrddd+:lv5Ls27k7OyX60MXXXwddd+

Score

9^/10

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-2.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
804	zskhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\zskhost.exe	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe
File opened for modification	C:\Windows\Debug\zskhost.exe	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2264	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2196	2264	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe	29
PID 2264 wrote to memory of 2196	2264	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe	29
PID 2264 wrote to memory of 2196	2264	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe	29
PID 2264 wrote to memory of 2196	2264	ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe	29

C:\Users\Admin\AppData\Local\Temp\ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe
"C:\Users\Admin\AppData\Local\Temp\ce503938c7221b03ac3d8d4f5f448bb0e965d3a567902c5fff806c8caef5b6d5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CE5039~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2196

C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
1⤵
- Executes dropped EXE
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\zskhost.exe

Filesize
51KB

MD5
c8c2c208c0639622be1a5f05a01cb3a3

SHA1
48817f3857af266451ea869a7f53128c0ef7b0d5

SHA256
baee3ce9ce4d4e18451b95fbe9e22242a17b9620e82276eb5eafca69278d1e11

SHA512
6cf36cea368438f1f16ff4de4056e1d69ab2f3feb1c98127cbd8541ebe53912c03bccf29ae9b778243c0ab3dbf8633c3c4e29c7bfa9f5d85aa06a772869009e4

Download Submit