a53c7212b63cdd16ce617d2ce921a361c47b4983aff71e7bfa8dcb931711ba72

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbf4a73960560845a306faa1c5c64f2.exe
Size

13KB
MD5

dfbf4a73960560845a306faa1c5c64f2
SHA1

5525dad3d649ad10f599447fe13fd25ba57a9a69
SHA256

a53c7212b63cdd16ce617d2ce921a361c47b4983aff71e7bfa8dcb931711ba72
SHA512

52e231619b19b871407ccd9fdf124dc3b473c58de0bdd49ca33d91f37f57985141cf50274fc131d2ead48c6b7dc9445988ddb82c405cd57ae47332af85628090
SSDEEP

384:cEyPDYCdJPvNyb89G0g4RV0d5HRbBbhtHHni:5CBnXNI8bg4P07HLP

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	zongximk.exe

Loads dropped DLL 2 IoCs

pid	Process
640	dfbf4a73960560845a306faa1c5c64f2.exe
640	dfbf4a73960560845a306faa1c5c64f2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/640-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000014738-3.dat	upx
behavioral1/memory/2620-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/640-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zongxim.dll	dfbf4a73960560845a306faa1c5c64f2.exe
File created	C:\Windows\SysWOW64\zongximk.exe	dfbf4a73960560845a306faa1c5c64f2.exe
File opened for modification	C:\Windows\SysWOW64\zongximk.exe	dfbf4a73960560845a306faa1c5c64f2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2620	640	dfbf4a73960560845a306faa1c5c64f2.exe	28
PID 640 wrote to memory of 2620	640	dfbf4a73960560845a306faa1c5c64f2.exe	28
PID 640 wrote to memory of 2620	640	dfbf4a73960560845a306faa1c5c64f2.exe	28
PID 640 wrote to memory of 2620	640	dfbf4a73960560845a306faa1c5c64f2.exe	28
PID 640 wrote to memory of 2356	640	dfbf4a73960560845a306faa1c5c64f2.exe	31
PID 640 wrote to memory of 2356	640	dfbf4a73960560845a306faa1c5c64f2.exe	31
PID 640 wrote to memory of 2356	640	dfbf4a73960560845a306faa1c5c64f2.exe	31
PID 640 wrote to memory of 2356	640	dfbf4a73960560845a306faa1c5c64f2.exe	31

C:\Users\Admin\AppData\Local\Temp\dfbf4a73960560845a306faa1c5c64f2.exe
"C:\Users\Admin\AppData\Local\Temp\dfbf4a73960560845a306faa1c5c64f2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\zongximk.exe
  C:\Windows\system32\zongximk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\dfbf4a73960560845a306faa1c5c64f2.exe.bat
  2⤵
  - Deletes itself
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfbf4a73960560845a306faa1c5c64f2.exe.bat

Filesize
182B

MD5
ddcfc193f9a79db4e635bd5d45f729d5

SHA1
4d6b5824967df9b5b5a3b4c6ffee1eec5a9e0a89

SHA256
1d45790fdf90d57ce7d7002abdbbf840e5b186d8b82493e57f5aae013ffd86b0

SHA512
90d695c30f9538f7e82e88b6e35d3bcf48ebeb345755dafc286a9d89653a85ad704dbfe798166eccfd8f672f664fed0ec07182828cf9501403a490860c46ee5e

Download Submit
\Windows\SysWOW64\zongximk.exe

Filesize
13KB

MD5
dfbf4a73960560845a306faa1c5c64f2

SHA1
5525dad3d649ad10f599447fe13fd25ba57a9a69

SHA256
a53c7212b63cdd16ce617d2ce921a361c47b4983aff71e7bfa8dcb931711ba72

SHA512
52e231619b19b871407ccd9fdf124dc3b473c58de0bdd49ca33d91f37f57985141cf50274fc131d2ead48c6b7dc9445988ddb82c405cd57ae47332af85628090

Download Submit
memory/640-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/640-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/640-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/640-16-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2620-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download