Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
27s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
m2zen.exe
-
Size
210KB
-
MD5
3ae919d27d1e034cdcd8825e6f439397
-
SHA1
e35e951c0e892e3213088766c80050f5ce4c88b2
-
SHA256
f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
-
SHA512
f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
-
SSDEEP
6144:2vyF8JOSSS/jEuVKmRo8J7RoxkAugtddd/uU2Nkyb5ZgFgvcjXCb:2w8J9LvWddmUaZzvcjW
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
m2zen.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2zen.lnk m2zen.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2zen.lnk m2zen.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
m2zen.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\m2zen = "C:\\Users\\Admin\\AppData\\Local\\m2zen.exe" m2zen.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
m2zen.exedescription pid process Token: SeDebugPrivilege 2344 m2zen.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
m2zen.exedescription pid process target process PID 2344 wrote to memory of 2672 2344 m2zen.exe schtasks.exe PID 2344 wrote to memory of 2672 2344 m2zen.exe schtasks.exe PID 2344 wrote to memory of 2672 2344 m2zen.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\m2zen.exe"C:\Users\Admin\AppData\Local\Temp\m2zen.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "m2zen" /tr "C:\Users\Admin\AppData\Local\m2zen.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\m2zen.exeFilesize
210KB
MD53ae919d27d1e034cdcd8825e6f439397
SHA1e35e951c0e892e3213088766c80050f5ce4c88b2
SHA256f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
SHA512f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
-
memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmpFilesize
4KB
-
memory/2344-1-0x0000000001100000-0x000000000113E000-memory.dmpFilesize
248KB
-
memory/2344-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2344-11-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmpFilesize
4KB
-
memory/2344-12-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB