Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 13:32
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
zitmain.py
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
zitmain.py
Resource
win10v2004-20240508-en
General
-
Target
zitmain.py
-
Size
279B
-
MD5
6639a1095dc3e0cec59e7e33b19006de
-
SHA1
3d7a5fd6469021e400df9dd19da1c7687f7f6c6a
-
SHA256
4976a8497b8e1e6c17d8a17e56b163554b7da3879bd91d2e7fab18ebe45bc89b
-
SHA512
67e16f62aae236072c2942edcda0f3a428a2521e6adad67ac7071982d2a53eadb71d5b0fff6638a31fd5b293a94c0153f16b0d160716f64ae108b6947658f087
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2584 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2584 AcroRd32.exe 2584 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2372 wrote to memory of 2640 2372 cmd.exe rundll32.exe PID 2372 wrote to memory of 2640 2372 cmd.exe rundll32.exe PID 2372 wrote to memory of 2640 2372 cmd.exe rundll32.exe PID 2640 wrote to memory of 2584 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2584 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2584 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2584 2640 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\zitmain.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\zitmain.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\zitmain.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD58a40f6a9cbb523bd9352c7cbc7fc710d
SHA131c078843e7d9c87f5a31d837088bcbbc7e64d1c
SHA2566bcd65ade9725cb325b5f27d6a478f8038eff911b15e40972806557d2a1a804d
SHA51266c5e4d91bf5a13742838c082078824f660726635f786f3e7ca0e9a1ec04e789ac1ecaa1aa7a7c752c3985cc2579b94224c652cab9d1783b4346ff0e9b5d7c84