90b96798067ef27a9d680b127c40095bd91397707acaf278df043e519b00857f

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e002e3dfbf9d1df15323f0648811539e.exe
Size

200KB
MD5

e002e3dfbf9d1df15323f0648811539e
SHA1

109c146b026a94c31c24fe9f81fb2ce63f18a9bc
SHA256

90b96798067ef27a9d680b127c40095bd91397707acaf278df043e519b00857f
SHA512

dbbffe68a48e2f3991571cfc604463c596e20f4b80d7f036b45ccd28b38120e774123e494f3f6804f61f67072ef4d766125bb4d0be56d4ad8df481afe072cd65
SSDEEP

6144:V52B+RtR7kRwAAKHsuBXPrgAm+2Qf4zSKSPKht:V52B+7xFATXPr8Qf4WpPgt

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\zhz.dll"	e002e3dfbf9d1df15323f0648811539e.exe

Deletes itself 1 IoCs

pid	Process
2992	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	e002e3dfbf9d1df15323f0648811539e.exe
2992	svchost.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

C:\Users\Admin\AppData\Local\Temp\e002e3dfbf9d1df15323f0648811539e.exe
"C:\Users\Admin\AppData\Local\Temp\e002e3dfbf9d1df15323f0648811539e.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
PID:2968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\install.tmp

Filesize
70B

MD5
dab6715d1dbb168955525bbb3fd0f92f

SHA1
086e2aa23c6c8c549cc11c7b32f04705452fb882

SHA256
f70c0a84a89c93f40d8ebce5534b2295264ac82f58d853b2f0cc849074cb4138

SHA512
c6d7d5fe6929434851fb707cbdba5ca1e2c7bcc9ccb9066ef6b69e09b103df478f1a5ffb61095d5ede2bbf9f7a5d9741d67e82de00e30aae71a618b2219fcdbe

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
185KB

MD5
a128bdadb59f1fc96c82643a09665f19

SHA1
abada5c6692839631d4661fe49cbb3ff40cf676d

SHA256
1b8cb5a5d83cf5b4569cec2f895c21e2ea3c9fb71f2807fba95b341e5dfc1bdb

SHA512
ce1bc3ed2700ab507837d32d34e512c2d2abdc437263457e7df2b14360aeb307d9268443613e225ca9dd54456d75d91eca52bc5bc9bdacb64c949a76b341152b

Download Submit
memory/2968-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2968-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads