f8defa93420f93aa735b7192af534db25a0c8a0719fc836983df3e506141da23

Analysis

max time kernel
450s
max time network
488s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
02/06/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zergtzaetgzeagegzeg.scr
Size

1.3MB
MD5

cdf01f02fdc0a38706412d6044e11138
SHA1

6b823724d280db7756335bf88019485d5bfe510b
SHA256

f8defa93420f93aa735b7192af534db25a0c8a0719fc836983df3e506141da23
SHA512

11c04dda9856be50af898aa13c2cadbce45ce785c29f3d4db248c962c3c8a983edcb04f9c3062b168a489ec427609cbc0663222a2f36000f2eb6c8921847af62
SSDEEP

24576:NJkzUy/HwUP5U6EFtBnQdQBlSzdX2zzR7/1UOXQxACinJeOEB7gZwSEqGsWv:SVvwOEVneQ+2OOXQrinJ26E

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2292	Aft.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	Aft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3192	zergtzaetgzeagegzeg.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	zergtzaetgzeagegzeg.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3192	zergtzaetgzeagegzeg.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2292	3192	zergtzaetgzeagegzeg.scr	81
PID 3192 wrote to memory of 2292	3192	zergtzaetgzeagegzeg.scr	81
PID 3192 wrote to memory of 2292	3192	zergtzaetgzeagegzeg.scr	81

C:\Users\Admin\AppData\Local\Temp\zergtzaetgzeagegzeg.scr
"C:\Users\Admin\AppData\Local\Temp\zergtzaetgzeagegzeg.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\Aft.exe
  "C:\Users\Admin\AppData\Local\Temp\Aft.exe" C:\Users\Admin\AppData\Local\Temp\zergtzaetgzeagegzeg.scr
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aft.exe

Filesize
53KB

MD5
36427b95bf89d2a744436613fdd78d90

SHA1
5cfa33192dd50cbedfd84595d45591cdeb1a9bd1

SHA256
53e97141c0e4bdbf1b3856ffb8de80b7e6b3e7e7177ce4adee2d56dda70c339e

SHA512
453105e0e2d2ede54072da2be22e86c34c412c2c004b8ccfc13716dd6eeca1777c1d4aab032240205eb1fdbf5e3af1dafb62488ec1f5d376ef8619d5d0486e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\profiles\default\config.ini

Filesize
990B

MD5
90fd3cdfb97dd45ba97b2d496b71c7fa

SHA1
8d8f9fadd10e578d01dacdc29ca40080dd4d744c

SHA256
7e974c38021e64c638abca255b15c7a1903344b034d5f36e0f076b4479c6ef4f

SHA512
50529c2a90f149952a01d4ed341e5cf44023b0a21a862ab4bb33ad827981d4e2f94c2699d0f928969f2dcd77ef0724a3e1e962a1b9d1f989e0d37834141a5f80

Download Submit
memory/2292-93-0x00000000747A0000-0x0000000074F51000-memory.dmp

Filesize
7.7MB

Download
memory/2292-91-0x00000000747A0000-0x0000000074F51000-memory.dmp

Filesize
7.7MB

Download
memory/2292-90-0x0000000002D80000-0x0000000002D86000-memory.dmp

Filesize
24KB

Download
memory/2292-89-0x0000000000B00000-0x0000000000B14000-memory.dmp

Filesize
80KB

Download
memory/2292-87-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/3192-5-0x00000244A2DC0000-0x00000244A2E0A000-memory.dmp

Filesize
296KB

Download
memory/3192-9-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

Filesize
10.8MB

Download
memory/3192-6-0x00000244A2E60000-0x00000244A2E6A000-memory.dmp

Filesize
40KB

Download
memory/3192-10-0x00000244BE330000-0x00000244BE3A6000-memory.dmp

Filesize
472KB

Download
memory/3192-11-0x00000244BE3A0000-0x00000244BE3AA000-memory.dmp

Filesize
40KB

Download
memory/3192-12-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

Filesize
10.8MB

Download
memory/3192-13-0x00000244C1740000-0x00000244C174C000-memory.dmp

Filesize
48KB

Download
memory/3192-7-0x00000244A2E70000-0x00000244A2E7A000-memory.dmp

Filesize
40KB

Download
memory/3192-8-0x00000244BCEB0000-0x00000244BCED2000-memory.dmp

Filesize
136KB

Download
memory/3192-88-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

Filesize
10.8MB

Download
memory/3192-0-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp

Filesize
8KB

Download
memory/3192-4-0x00000244BD560000-0x00000244BD5E0000-memory.dmp

Filesize
512KB

Download
memory/3192-3-0x00000244A2DA0000-0x00000244A2DC2000-memory.dmp

Filesize
136KB

Download
memory/3192-2-0x00000244BCF20000-0x00000244BD406000-memory.dmp

Filesize
4.9MB

Download
memory/3192-1-0x00000244A2820000-0x00000244A2972000-memory.dmp

Filesize
1.3MB

Download