ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe
Size

65KB
MD5

91549c77f4b27ef9aa3b384373c62d38
SHA1

cf1e029248c03de10af024c3831cf980e046664d
SHA256

ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c
SHA512

cc38863d98218592065ed7b1e47fd4dbd9de9a4e6b326c1a400dea407ae86972478e0da907f80c5fe6ce5a2b4a8ca758af3afd1e56c7aaea6e3c2fd0ff2dac92
SSDEEP

768:ZrItKyw5WHXfQIhIiIk9ecAaVPD96KyX6C:Zr3Z5IfQIR81ad5yX6C

Score

9^/10

evasion

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

resource	yara_rule
behavioral2/memory/3492-0-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023532-4.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2224-5-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2224-6-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3144	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	zewhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Debug\zewhost.exe	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe
File opened for modification	C:\Windows\Debug\zewhost.exe	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe
File opened for modification	C:\Windows\Debug\zewhost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3144	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	90
PID 3492 wrote to memory of 3144	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	90
PID 3492 wrote to memory of 3144	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	90
PID 3492 wrote to memory of 1492	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	96
PID 3492 wrote to memory of 1492	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	96
PID 3492 wrote to memory of 1492	3492	ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3144	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe
"C:\Users\Admin\AppData\Local\Temp\ce1562277b1b3953f1435e8c9906923e62c91442875486f94fbc52c037dd1b7c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\zewhost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:3144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CE1562~1.EXE > nul
  2⤵
  PID:1492

C:\Windows\Debug\zewhost.exe
C:\Windows\Debug\zewhost.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4072,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\zewhost.exe

Filesize
65KB

MD5
e8ca94fea5551a3c4ccc666b2ac71f8a

SHA1
15f6411b7422fc25728024a39641d7d1b4791537

SHA256
22eb3f1c10a4f75a7775248d47c8d671c825fa0a5a96f74179db5c609b0e613a

SHA512
27724e516babb8f04f2fc5856282f575fd41db6dec6ad4bfb598ba65cb9ca60dd9669af1225629801a34981eefbef56d1cd820663e502ce1e837605dc3de3f3e

Download Submit
memory/2224-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3492-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads