7e120132d1a388a606ad117062f07cef22581d6e6694d514af94276bf6caa556

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.ƾ֤С/ƾ֤˹/ƾ֤˹2024.3.6.exe
Size

1.7MB
MD5

52f676df9fd1e378a6fba5087a743136
SHA1

42323fd6438e74b0c4839c958db0d19acbb099a7
SHA256

ad04223df81b87e801b5f1549c3e709a066a3412bad1401af7f5adab61803af2
SHA512

96723113a5fbba6332bf89d2a20b6bc039b6849a6fed5f3a52cf16d182b3b1a10ff296362d0a97378a4ed414ff9475f2ec41e3aec8c471b928fc003bd36fb866
SSDEEP

49152:h3PsmOK2rHAacv9N+GD7DDeBjFZnzK9yhyahE/:RLMEak/CdXn5q

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 740	4796	ƾ֤˹2024.3.6.exe	86
PID 4796 wrote to memory of 740	4796	ƾ֤˹2024.3.6.exe	86
PID 740 wrote to memory of 1164	740	rundll32.exe	87
PID 740 wrote to memory of 1164	740	rundll32.exe	87
PID 1164 wrote to memory of 4872	1164	runonce.exe	88
PID 1164 wrote to memory of 4872	1164	runonce.exe	88

C:\Users\Admin\AppData\Local\Temp\4.ƾ֤С\ƾ֤˹\ƾ֤˹2024.3.6.exe
"C:\Users\Admin\AppData\Local\Temp\4.ƾ֤С\ƾ֤˹\ƾ֤˹2024.3.6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\znsh.inf
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NPQUXI~1.DLL

Filesize
1.7MB

MD5
ec12c61ddf54f4ccbfc0481863c35030

SHA1
4fc89924aa34e259ef56b916f7a6986dd27bfd8b

SHA256
d4ec99c51ec3d45e401b288c98bed031cdcae9f38c3e04bf59f8171d377ebb76

SHA512
862dc21dd2b1ce6a7c037ba54cbe7f927d173a6d947d9be6a5cbd2fd6c1ffd46e079721125a9c86aa86e6f3cdbb3545e8a98fecd354f24ef0dc0401b608c7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCRUNT~1.DLL

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZNSH~1.XLS

Filesize
174KB

MD5
9726510518eb30427f79d01286fff914

SHA1
3159cc4ffafd9df96dfc874d2691707916bc367a

SHA256
fac491745c097c3e9cca9ab70a0ac08668f10b30b4328ee46c25b50af3d48e42

SHA512
1162ea9384373a9f1890b15c5f99db6d838df97ef833423b6844c036871c1eee8b824c268b82c325cef80dc7838a1b95a284be47cb120c2fefbfd0ac9221d655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\advapi32.dll

Filesize
475KB

MD5
069699987dc9ddd30d165c6e13689d8b

SHA1
1e2e560e7d0668f46f30e0dc25a025b66dc48c28

SHA256
782cd5317f8e91975cfc435262e774cf2927e0b720172262ee3664eacb3a6907

SHA512
e3bf5fbb218d88e78b63768b5b8908d9078add07abdb5398dea35278656cf28c436bafca93aadab4afffd687c35e867048bfec34dcc6fa32b57a88bf946337bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\znsh.db

Filesize
148KB

MD5
5999134b8aca7c81173ba00753ca0d34

SHA1
a66ec6c56670de8547718bd8e79b7f49abfaa866

SHA256
96facae71ef7af0e92e3162c5801fb0885658103eb5ff9ef83e844390f89641e

SHA512
5e918ca1e5f0ce9fcbb3f5654356b3f727a168eec9ad99397c4e41e440c672c5e11a5b73334628bb851749f3807efe332af6b0add483d7fc42888628ea5b4805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\znsh.inf

Filesize
399B

MD5
46e581d00d5d5cea727130e2d29c0ae5

SHA1
09fb918c9b41d8dc3320afdcbeec606bafefa084

SHA256
ee9f5a3f5f6cb2f206f45c80d2ba492e5f9400e380b9710f648c5d40e6be1ade

SHA512
5c102cf545a29bba256668530fa3fe7156cb097ab76b611b4bdf8f7a1d4abc5853fd9ebb9ca2767db9d56156ae5f15b5fcc7674b0c021d854c2700d975c679b9

Download Submit
C:\znsh\IPHLPAPI.dll

Filesize
192KB

MD5
cdc6958cac579aec2ff50e714a511bd8

SHA1
ccc05f75af3a3c1f13aa042b4c0375f28d885482

SHA256
d89c3bb129643753298596ae385dce893157c76accd9417870ad456614c2f576

SHA512
90fc4bd9594015b810b4b31d143e7a550c98c3712cb5d4a6207a7174a753f9846a978db4dcba3cba33d07f1993bd41b79362624b40dbf3acae51ef37820c815e

Download Submit
C:\znsh\comdlg32.dll

Filesize
834KB

MD5
0044b4e6dffff508023e2820c19dbe72

SHA1
1b36e7d1444dcaa29cedb2fe51cbbf4e9a8ea015

SHA256
69e3f82019a339bf457f9182d49d8da97f778990a98382c4f94d73b766e9f61f

SHA512
84425d388cb8794605275d118245908b0a568db0e82f2ba8fac2bc56149f2db1b7e55a8dda9376cbdd09d34297460b3c3b4b302fce627aeeb9704c1578fddbd8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads