48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838

General

Target

48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
Size

9.6MB
MD5

9ce85f318e9577893ef8804d095f20e4
SHA1

92c3d9036bbf023328793cc33689249fc66c9149
SHA256

48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838
SHA512

7c37ab22ddaca72400975ecf95c6b4546afa8a9d94b50ec79610826448b781ef499c3fd20bf1e7d1439a79842746d71d6099f0e94a49e381ac72c57664271b76
SSDEEP

49152:ZE7TRX/zibSgJXFk9r1SBe4/nL8TWtYLNQxCx7OzW5EoUgQi5MAXgwFtUwYaxgmS:WXr2hh1GXCxCVXavO+xBF3n1A/2YX2v

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe

Executes dropped EXE 1 IoCs

pid	Process
4412	zanhh.exe

Loads dropped DLL 5 IoCs

pid	Process
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfEmyRTeCOCH = "C:\\Newfoldtr\\zanhh.exe"	zanhh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zanhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	zanhh.exe
4412	zanhh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	zanhh.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe
4412	zanhh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4412	4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe	89
PID 4336 wrote to memory of 4412	4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe	89
PID 4336 wrote to memory of 4412	4336	48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe	89

C:\Users\Admin\AppData\Local\Temp\48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe
"C:\Users\Admin\AppData\Local\Temp\48f76f41241e8df363150c889ea363b8eee56ee540cf172b6deaa5f0cc109838.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Newfoldtr\zanhh.exe
  "C:\Newfoldtr\zanhh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Newfoldtr\20240806211854_33288.zip

Filesize
7.8MB

MD5
92a720123201e07fbb75d2f7e483a719

SHA1
1e6d32270c0af3aa6e6009694ec05e5f7cf052f0

SHA256
9b04efc083fd3c4b14ed5feba47c637c2b9de6b51faddf6da7ff53bd493815ed

SHA512
b65be83bf5fde5d8e72fd06d43cf0b9e2d356a78c13ac50f8cc3b4842bbcfae715dc1d48208435cbc88e0d797fcfe7aa825d634004f4a803259c124f6bd9d52e

Download Submit
C:\Newfoldtr\StarBurn.dll

Filesize
587KB

MD5
e76a62a26a171a1e11802df34c6c571e

SHA1
03bd5f19a16b1f34e843a11572875a83d2d93511

SHA256
57ff90c7fb09a8cebe4ace209bb1a8585d46bb3ea59ee91644323840c1b11a50

SHA512
b47dcaa55033fbd84a1599dc14f648211c0cd4c16764bfa093b515bb7304293712a5a8ebfe447cede43f034356cbbc04d134aef51f247bf7385dca4625a4fd2f

Download Submit
C:\Newfoldtr\dvdau.dll

Filesize
100KB

MD5
ec13c0ca17ff65cf05c04b86a640072a

SHA1
faee721f08ce0b2c32b8b6f0b86fa7c1a70d64e6

SHA256
9f649c766b673ddee2edeadf171ef7afc87dfbae2ae1b2835b5af81ee389c707

SHA512
0b10073dfbe1a79aa0ea6a7d8b6415bcb363ce35574bafe1caf8679af084108eb1de9f3a913e870a82759ddd46ffca0cc6b2612ef4af0dd9a76eb09e543e7da5

Download Submit
C:\Newfoldtr\trp.gif

Filesize
1.5MB

MD5
321b04a8e4ebfc40674f451f426a4da3

SHA1
a24219445a25f4dadad72658e63fd3ba026ebeac

SHA256
0628b2f4ecdb9b0c9425c2f2bc22e15bac3b12645a9e63c4f95e90e2d6e9c2f3

SHA512
2004b4485f2347036784df31b811f51924665898a9a5476d580b2478022956c5db9f1cdca81be9993469bba120d227616d364ec220e79f1b595703a1221dfbeb

Download Submit
C:\Newfoldtr\zanhh.exe

Filesize
280KB

MD5
84eeaf42db9fee1803147216b456d3f5

SHA1
52230ffe54e2d4dc3df717d0d1587263bf573ddc

SHA256
463f8fdf2d0c90cce1734b5e6d12d37d753f53a17e4fb9315ebaaee61ef1e8c4

SHA512
91a4dd13561aa90dcfbf8e5153ca02c233b1e8d5da13145c430715ab941017edce6cdcb37c23a209c97c87254b6663203d63586fa27409e36a95b90f89c86687

Download Submit
memory/4336-60-0x00000000001F0000-0x0000000000BBD000-memory.dmp

Filesize
9.8MB

Download
memory/4336-9-0x00000000001F0000-0x0000000000BBD000-memory.dmp

Filesize
9.8MB

Download
memory/4336-29-0x00000000001F0000-0x0000000000BBD000-memory.dmp

Filesize
9.8MB

Download
memory/4336-11-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/4336-37-0x00000000001F0000-0x0000000000BBD000-memory.dmp

Filesize
9.8MB

Download
memory/4336-0-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/4412-63-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-58-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-62-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-55-0x0000000000910000-0x00000000009A5000-memory.dmp

Filesize
596KB

Download
memory/4412-64-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-65-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-66-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-67-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-69-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-70-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download
memory/4412-71-0x00000000009B0000-0x0000000004147000-memory.dmp

Filesize
55.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads