Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 16:54
Behavioral task
behavioral1
Sample
599440_ZEFkMX.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
599440_ZEFkMX.exe
Resource
win10v2004-20240802-en
General
-
Target
599440_ZEFkMX.exe
-
Size
47.2MB
-
MD5
eacea7802281e79c6a2b227728798856
-
SHA1
fcbfe265708b61a03cf41d4cf64193d85fc9dc1c
-
SHA256
4e4e0a96ca0aa4f49e3f28ba96249e30e2281322506af6697ecb94d9281e6d94
-
SHA512
7602e6a65f40b24b1e5c1e14ca1bb9ee6011e572b80ac2eef7dbe551cc90f72d85d92ba660234d56dc1fd583f691e90b101aaca2d7597cb28c4d69a959242b16
-
SSDEEP
786432:Y9Z9HcQrh7vDE2dkg/IpG7VB8VPhqWdbFzcY876I9e3K8vCW8zDPHvtXmZvOg6IY:6vHcQrh7vgSk8IpG7V+VPhqWdFE7zE6s
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
599440_ZEFkMX.exepid process 2788 599440_ZEFkMX.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI12922\python312.dll upx -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
taskmgr.exepid process 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3048 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3048 taskmgr.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
taskmgr.exepid process 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
taskmgr.exepid process 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe 3048 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
599440_ZEFkMX.exedescription pid process target process PID 1292 wrote to memory of 2788 1292 599440_ZEFkMX.exe 599440_ZEFkMX.exe PID 1292 wrote to memory of 2788 1292 599440_ZEFkMX.exe 599440_ZEFkMX.exe PID 1292 wrote to memory of 2788 1292 599440_ZEFkMX.exe 599440_ZEFkMX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\599440_ZEFkMX.exe"C:\Users\Admin\AppData\Local\Temp\599440_ZEFkMX.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\599440_ZEFkMX.exe"C:\Users\Admin\AppData\Local\Temp\599440_ZEFkMX.exe"2⤵
- Loads dropped DLL
PID:2788
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2764
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5506c760a20e6bb940590229d41449ffa
SHA1b7c439f253987fb0ff66fc5ce959cf711b18eb8d
SHA256e63503b2715df3eab8abb9b2682129e27a7add9acea9008f06f55494a2b2f3d5
SHA51234df2e8e53caac0cd72cb3c5848296ca8cfa10c542c0a5f88385d6b35ab70b86957540de2ff105a27cefb37ccbb5789261a69132b535a857df32875c1f9deb9e
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1