Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
26s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
m2zen.exe
-
Size
210KB
-
MD5
3ae919d27d1e034cdcd8825e6f439397
-
SHA1
e35e951c0e892e3213088766c80050f5ce4c88b2
-
SHA256
f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
-
SHA512
f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
-
SSDEEP
6144:2vyF8JOSSS/jEuVKmRo8J7RoxkAugtddd/uU2Nkyb5ZgFgvcjXCb:2w8J9LvWddmUaZzvcjW
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
m2zen.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2zen.lnk m2zen.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m2zen.lnk m2zen.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
m2zen.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\m2zen = "C:\\Users\\Admin\\AppData\\Local\\m2zen.exe" m2zen.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
m2zen.exedescription pid process Token: SeDebugPrivilege 968 m2zen.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
m2zen.exedescription pid process target process PID 968 wrote to memory of 2940 968 m2zen.exe schtasks.exe PID 968 wrote to memory of 2940 968 m2zen.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\m2zen.exe"C:\Users\Admin\AppData\Local\Temp\m2zen.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "m2zen" /tr "C:\Users\Admin\AppData\Local\m2zen.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\m2zen.exeFilesize
210KB
MD53ae919d27d1e034cdcd8825e6f439397
SHA1e35e951c0e892e3213088766c80050f5ce4c88b2
SHA256f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
SHA512f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
-
memory/968-0-0x00007FF949803000-0x00007FF949805000-memory.dmpFilesize
8KB
-
memory/968-1-0x0000000000BB0000-0x0000000000BEE000-memory.dmpFilesize
248KB
-
memory/968-2-0x00007FF949800000-0x00007FF94A2C2000-memory.dmpFilesize
10.8MB
-
memory/968-11-0x00007FF949800000-0x00007FF94A2C2000-memory.dmpFilesize
10.8MB