Overview

overview

8

Static

static

3

zeta-updat....1.exe

windows11-21h2-x64

8

Resubmissions

19-07-2024 19:26

240719-x5x16awdjp 10

19-07-2024 19:22

240719-x3gamawcjq 8

19-07-2024 19:19

240719-x1lsbszapb 8

19-07-2024 19:16

240719-xyvx8azajf 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zeta-updater-1.0.1.exe

  • Size

    3.1MB

  • Sample

    240719-x3gamawcjq

  • MD5

    b10ed91a7fe5a422d9c2f9aff5696a19

  • SHA1

    c83105f812109e5f6a26564c197f49d61b2ef403

  • SHA256

    94c0a829b34030f4b279c794962627eb422cd3ce3f969eb8ca330ca0c9f82635

  • SHA512

    fc0d5149ce62ba67755732e5a0004a158bb36ec4e166fcbd734a89c9bde855e71ccf06ee5c7ff9df0834397178c90b9da40769b0275ea487d41c8201f7007c25

  • SSDEEP

    49152:5wSHmvR05JIoEe/avRAvUP5v8R3Lkvrd2o8FEOrJUjnjv/kFE2fSAeFa5J9dxSFw:bOAvsU0D/IE5AeFWxxSFw

Score
8/10
bootkitdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      zeta-updater-1.0.1.exe

    • Size

      3.1MB

    • MD5

      b10ed91a7fe5a422d9c2f9aff5696a19

    • SHA1

      c83105f812109e5f6a26564c197f49d61b2ef403

    • SHA256

      94c0a829b34030f4b279c794962627eb422cd3ce3f969eb8ca330ca0c9f82635

    • SHA512

      fc0d5149ce62ba67755732e5a0004a158bb36ec4e166fcbd734a89c9bde855e71ccf06ee5c7ff9df0834397178c90b9da40769b0275ea487d41c8201f7007c25

    • SSDEEP

      49152:5wSHmvR05JIoEe/avRAvUP5v8R3Lkvrd2o8FEOrJUjnjv/kFE2fSAeFa5J9dxSFw:bOAvsU0D/IE5AeFWxxSFw

    Score
    8/10
    bootkitdiscoverypersistenceprivilege_escalationspywarestealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks