Overview

overview

3

Static

static

3

xZUpdater.exe

windows10-2004-x64

1

Resubmissions

16-06-2024 14:34

240616-rxmmka1cnn 3

16-06-2024 14:34

240616-rxdpnaxakg 3

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    16-06-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xZUpdater.exe

  • Size

    4.0MB

  • MD5

    03d44181b5e7a135d4a4ee9392a6632a

  • SHA1

    dd6538ceeb979f34eba33b52dd950a60d352f1e5

  • SHA256

    0d3adaeb1806a5845b55998281a530b8d79086bc8378dbae86d572af80678c4f

  • SHA512

    ac465110a78ea30699f6563c2bf907781855ee99574cfd570cb69c2ac7f4bc9e0bf76bfcd6a501178554510d8c96aa0618660117c2eee3f6bcd0ec6ec5ff8869

  • SSDEEP

    98304:DD9z89ENpcNM44/lAY2ekhgTcfdbMm0ECoJxInx:X1NoQd5Tcf23EdJSn

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\xZUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\xZUpdater.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2228
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4364
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.0.1227995778\94709495" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce997cf-e487-4856-81b7-5bef25032be7} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 1852 23f4fd27158 gpu
        3⤵
          PID:3408
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.1.371572238\542489433" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe706adc-17ca-47ee-bb6b-2587c2f5589a} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 2420 23f42f85958 socket
          3⤵
            PID:3276
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.2.128074717\85019893" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2932 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e910e68b-474c-4845-8782-3c28ca5a88da} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 2896 23f4ed91f58 tab
            3⤵
              PID:2052
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.3.438399345\1328735836" -childID 2 -isForBrowser -prefsHandle 2712 -prefMapHandle 4108 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52edbbd3-750b-4cd2-9ec8-eadf03430637} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 4204 23f55124958 tab
              3⤵
                PID:4264
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.4.1987507367\1897019085" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4944 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b0f8ea-7ee1-43e3-9bda-d22133f7d631} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 4972 23f56c3fb58 tab
                3⤵
                  PID:4508
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.5.1181371992\1816883139" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4988 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1957e28b-e332-443b-92f5-76d16be7cb0a} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 5104 23f56c3ce58 tab
                  3⤵
                    PID:4260
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4364.6.1930000406\518255618" -childID 5 -isForBrowser -prefsHandle 5324 -prefMapHandle 5332 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8bb07f7-19e4-407c-a77a-99b60c23aaf2} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" 5312 23f56ce9f58 tab
                    3⤵
                      PID:4280

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  26KB

                  MD5

                  a58ef334bca39ee12b74b68d337bfa59

                  SHA1

                  0cfb3580fdb3d37c7ccec310def22395d356296f

                  SHA256

                  2e1a85e54770f12c57da18f3bab356cdfb693d9c54b3e087b03b4e068e9c7313

                  SHA512

                  a797aedb78f6d48162262669f74a388429af935f440aa1788c46f7643ffd6e945771416df80e0ed3108c0b7597ebae569859c4872bc4350584a91b781036a70c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  40decf52d7ab2af71611aa9ba2835ccc

                  SHA1

                  9c60bb887f6ed2e94a7bdc7bd3f89a9463fcfacf

                  SHA256

                  d08fcadf18572e9b41ca631fbbb382f59e6f497920d87d6e838769134b873f58

                  SHA512

                  41f495b9574dbf17f7edf25f91bd88790189e73ca1bb5b0bd74801c828b205c8295c0f2822f1ade135d99b4d7f69ea94fcdd31b162fc4db256bc26f4ec7635b4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  d0d5e15f8de713bfd863e162d66c07e2

                  SHA1

                  4e19964880a9bd293a5ca92666aebc1a79d3e3f4

                  SHA256

                  415d1a9d25f12c2bcb94d548db57d4665f028aacfd61a0043e9eb1bf10823a56

                  SHA512

                  b5d98dd20f99fc307b7025945399a2162d4e9dfb9095759eaac405fef0afb3a41ca76e330e77b97959b76f4f3a5b6e2e5e4c9f76c3c0931d5a27e3f2cf238986

                  Download Submit

                • memory/2228-0-0x00007FF678940000-0x00007FF678B91000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/2228-1-0x00007FFFE1AD0000-0x00007FFFE1AD2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2228-2-0x00007FF678920000-0x00007FF678F88000-memory.dmp

                  Filesize

                  6.4MB

                  Download

                • memory/2228-5-0x00007FF678940000-0x00007FF678B91000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/2228-6-0x00007FF678920000-0x00007FF678F88000-memory.dmp

                  Filesize

                  6.4MB

                  Download

                • memory/2228-7-0x00007FF678940000-0x00007FF678B91000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/2228-8-0x00007FF678920000-0x00007FF678F88000-memory.dmp

                  Filesize

                  6.4MB

                  Download