4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03

General

Target

4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe
Size

1.2MB
MD5

b9793039b61853ed05369365f25ecdfc
SHA1

f6b25e28df0689a068d35573eb12e9c92d054faf
SHA256

4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03
SHA512

88a481b51cb1de77d446359e7ef64e54fdf5e8bf0d8f705df784321d23589633821613d31a4b3386289927e74a42cef6245ce46a110a44d5289e8ac7e239e44f
SSDEEP

24576:DGHCm8uPdJFdokSTAwlJaxHBeOLj2sqogRSoyhCswKMeuP+T7GMFu3/Urcp9J:CuWroNTfJaxhQsqDI0sdM6CMF4/UApr

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Z7zk9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Z7zk9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe

Executes dropped EXE 1 IoCs

Processes:

Z7zk9.exe

pid process

3788 Z7zk9.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Z7zk9.exe	upx
behavioral2/memory/3788-18-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/3788-58-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Z7zk9.exe

pid	process
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe
3788	Z7zk9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Z7zk9.exe

pid process

3788 Z7zk9.exe
3788 Z7zk9.exe
3788 Z7zk9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exeZ7zk9.exe

description	pid	process	target process
PID 4284 wrote to memory of 3788	4284	4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe	Z7zk9.exe
PID 4284 wrote to memory of 3788	4284	4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe	Z7zk9.exe
PID 4284 wrote to memory of 3788	4284	4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe	Z7zk9.exe
PID 3788 wrote to memory of 2376	3788	Z7zk9.exe	cmd.exe
PID 3788 wrote to memory of 2376	3788	Z7zk9.exe	cmd.exe
PID 3788 wrote to memory of 2376	3788	Z7zk9.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Z7zk9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Z7zk9.exe

C:\Users\Admin\AppData\Local\Temp\4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe
"C:\Users\Admin\AppData\Local\Temp\4de54b7d5f8e5d14e89a8726b4838eb60000a48ee2a83da34b195fef8fffdd03.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\Z7zk9.exe
"C:\Users\Admin\AppData\Local\Temp\Z7zk9.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3788

C:\Windows\SysWOW64\cmd.exe
cmd /c echo.>c:\xxxx.ini
3⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Z7zk9.dat

Filesize
129KB

MD5
53262b1e14cad6b495b18b16c1a30aff

SHA1
fec9b2d8144632dff0c8bdbd8ca49358f6ac14f6

SHA256
9489a2b8cb87e19b0c10c328920cb980c69957532090d160a3b418c21271fba9

SHA512
598ebd5ffc18fcef55e40e550b4996ddc7380439eeedd449391b9e4a89a7f487b8b334b7acc915d330ddd232b563ba7bd0db82f3f7832aa3f5b7b160c565f93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7zk9.exe

Filesize
476KB

MD5
6c1fae392332da03dc137c5a450e094f

SHA1
d0f0e9706d24479daf94e945cba0bd66ffa09c19

SHA256
ff1ed2a61373c9737d85d05232ab31882a723348af3f6fc0c73f266288d6027f

SHA512
698b25f5bdd3da6978e048e35f2e830081af91692c18732d4a95f97e547bca80e580c40717ac9dc41c4c1bf3ba5fa481fb3205f400049681dc57e91aae72a8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
05a6b5e6f8f3c239a9669dcc693e9b83

SHA1
194ff18e37d56b8d988cd60bb9f0e94bbb23e767

SHA256
1bfa036a09bad94fc4b9ce956c13628987f4e390a5f88d64a47f44941aa31692

SHA512
0464644346aecc20a35c0ede49bd8e4484314941894553ed728f12c1005b5a01a222b18af396da9675c8183bf8935765ea59a03cacbeb71138270998f9f4c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge.jpg

Filesize
356KB

MD5
eab0c2e6d6a79b4056bde3e5d608aec7

SHA1
dfb7906fa0972dc9229e949f6f5eefab8f66f8df

SHA256
fc9fdf32bc7308f73bc366e26255088301185574ee69d5d5550e4ad5d11b7667

SHA512
d5493ae8583b39ef8a45c0ffceccf97b330b6278cb0052fb1d6d78231fc7bd410b4d8dd1e15e1737c7623a75652e85c99bf14e931331bdb5a82eab19ef965a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge.xml

Filesize
78KB

MD5
becc523c5a38ba344024663f21406563

SHA1
309a81bfb24ac04671644a17e76b29d604cbc39f

SHA256
6267183bef236992d39b4c3ab10ae63e9c04e87b3a0dafa0512716b5624481e7

SHA512
f640e6a97e0de2c08a38fd8ae753eacfc7682092ede427f7d1d33a0a763ec9f51b08299c09560192bbb0fac80f93ebc1d982c4c087646c1b1ca7b5e10fd299c0

Download Submit
memory/3788-18-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3788-40-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3788-42-0x0000000002650000-0x0000000002667000-memory.dmp

Filesize
92KB

Download
memory/3788-44-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/3788-58-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3788-60-0x0000000002650000-0x0000000002667000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads