23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
Size

88KB
MD5

18e7a6281d1750008983a2493ba7db22
SHA1

f57120d9b02446d02362f1cd9a8cc560ede11f26
SHA256

23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c
SHA512

5cf2f4dc68c73c9dd8db9bc736d1519ccef3934c5131f9907accbf8352bab5fd40004f8809b2217f33388919319ccb392812d033e1b41ee43ea014254dd55477
SSDEEP

1536:s1mCSIQ/JDHKa5LJW6/Z2NZQKvdmNmS/:cNSI8DHKuFOJvdN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zaauva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe

Executes dropped EXE 1 IoCs

pid	Process
4860	zaauva.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /a"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /x"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /l"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /p"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /y"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /r"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /z"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /w"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /b"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /t"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /g"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /d"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /c"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /j"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /u"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /s"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /i"	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /o"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /i"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /v"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /e"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /f"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /q"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /h"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /m"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /n"	zaauva.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaauva = "C:\\Users\\Admin\\zaauva.exe /k"	zaauva.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe
4860	zaauva.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
4860	zaauva.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4860	4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe	93
PID 4880 wrote to memory of 4860	4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe	93
PID 4880 wrote to memory of 4860	4880	23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe	93

C:\Users\Admin\AppData\Local\Temp\23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe
"C:\Users\Admin\AppData\Local\Temp\23a4ca6483c7c65cba62088a9151495eba4bceca2e38b955f4bbe8c42cdb0d4c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\zaauva.exe
  "C:\Users\Admin\zaauva.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zaauva.exe

Filesize
88KB

MD5
284e24b6455a9e97014c99b182f3f6b9

SHA1
ab65f59890654b747a651cc7891ed1d53d9cabab

SHA256
c59f63ee14233e98505a697dae7f008253be3c8de663f1709ac490d8157c40b7

SHA512
6467e88b385c3f5753352235c621be59c4d9ebd1232934cbad778b48ab52904fdc2f03904dccd8e975969cb2b8d74376dc1899fbde8b5a6c824ccfd35ee6c3f6

Download Submit
memory/4860-34-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4860-38-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4880-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4880-37-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download