Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 22:03

General

  • Target

    4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874.exe

  • Size

    1.2MB

  • MD5

    43044a8822f069feddd9c02fe36d8517

  • SHA1

    7ed988939944d311a580e145198a6b4cc5741355

  • SHA256

    4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874

  • SHA512

    fb7f178877f94e7132508d1475dfdadbd2b71f4d8b3c779e509829fd2ea4d223328a389c6521729616cd15900d72b57a3fe0f0b6502c9bba7c60194c65d66f4b

  • SSDEEP

    24576:v9tuVdYYq6r4KmT/VKl/kb9sY5uJ1VMa6z3ZD+yA5HQMh4/Vp58t2Wcd:vD+Js9C0udwtzJKyA5HQcKUzy

Malware Config

Signatures

  • Detects ZharkBot payload 2 IoCs

    ZharkBot is a botnet written C++.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • ZharkBot

    ZharkBot is a botnet written C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874.exe
        "C:\Users\Admin\AppData\Local\Temp\4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Exceed Exceed.bat & Exceed.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1112
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2968
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5080
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 758927
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1680
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "NonCostsDialogueAngels" Oe
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4548
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Algorithm + ..\Dept + ..\Containers + ..\Cal + ..\Filled + ..\Plymouth + ..\Checks + ..\Grounds p
            4⤵
            • System Location Discovery: System Language Discovery
            PID:644
          • C:\Users\Admin\AppData\Local\Temp\758927\Playboy.pif
            Playboy.pif p
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:816
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "Solving" /tr "wscript //B 'C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js'" /sc minute /mo 5 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "Solving" /tr "wscript //B 'C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js'" /sc minute /mo 5 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url" & echo URL="C:\Users\Admin\AppData\Local\MindCalm Technologies LLC\ZenFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenFlow.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:1004
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
      1⤵
        PID:3608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\758927\Playboy.pif

        Filesize

        872KB

        MD5

        18ce19b57f43ce0a5af149c96aecc685

        SHA1

        1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

        SHA256

        d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

        SHA512

        a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

      • C:\Users\Admin\AppData\Local\Temp\758927\p

        Filesize

        569KB

        MD5

        83afc888b04243510b45c81be0aca90b

        SHA1

        24307ecbf84dbeb6ba0a1d444f4728bbbc3ddee4

        SHA256

        6d9736e0d27580cf23ca2dde04e7ad37e81f3784ab62055ec9e99111dea31dc4

        SHA512

        27ad041e8d2bd24e96038b9c91016dc443274d67ba7f09e575974c83f1cd2499f45655bbd633bd821c7ea0f138aae02b9b96c91c1286e269ea35e993885eed77

      • C:\Users\Admin\AppData\Local\Temp\Algorithm

        Filesize

        84KB

        MD5

        139313e3e17639000484574c5b868583

        SHA1

        3bd610784217d674a47d9ecfea8212732a27f680

        SHA256

        db07c2a20a33ac2fb5db98528bf254fe27de25cb57886183b945e687757c5fdf

        SHA512

        14ce494ed36be9d8bc85fcca5683aee50e417bc39948d8c67ac687737325a2d00bb790fc227a5fd4af71e0d9e25b4424219209d96fe0bd88604500a3def66709

      • C:\Users\Admin\AppData\Local\Temp\Cal

        Filesize

        51KB

        MD5

        4d5b3e82ce74ba3e1dbe07e948dccfd7

        SHA1

        1ef8a20e6d1091e5022578a274775c5cfbbc9687

        SHA256

        437694e2a7677cfd3bb7b58bcc3c9953da52422faf7aeae1c124403c9fe40d0f

        SHA512

        c170f340a497c9d0e207c095c5b5626ae943b972589aaf07e7f5cafdc7586b7aa808e392ec012cea89d35abbaeb5496e3c5a8634740221435752e4dcea95a713

      • C:\Users\Admin\AppData\Local\Temp\Checks

        Filesize

        85KB

        MD5

        494475eb511eef17b5e3a0677e8d9d40

        SHA1

        8e6c081692cd942744c52421695a5e62b5572d27

        SHA256

        fbdcdcee83ace5e22451eba67f33daf3c996e254363f6e675b9b2ce19c43fb33

        SHA512

        37c3478d30ccaba10e8dc5a4c0e60519aeaffc2c615563c7c7d77a2e7785ea1cf0d855d6dfd554792d4421363551a950e9af294ad8b8ac1684e952efe61350d1

      • C:\Users\Admin\AppData\Local\Temp\Containers

        Filesize

        66KB

        MD5

        cd91ed2dd284782805c99d3d9392d070

        SHA1

        96a99373350320ed71b102b052279c3d99b1e5fe

        SHA256

        97d902027afb78a80eda022c942f7810fcfbe69e2107873c4a68cc3ecfef03d9

        SHA512

        718bac87cc64cc4a7c52f896cc07c1d564807c918689ad76a3e7b7208d94d69fe0ce2bebf13c67fe0b55d9e9fdcb7c16f297a5df321600a7d408e38b149a364e

      • C:\Users\Admin\AppData\Local\Temp\Dept

        Filesize

        97KB

        MD5

        ba8c8e0ac31ab41e7bf4c1bf876447a7

        SHA1

        bd4cecfc670bcb48649d0ef6699890ac9b87d843

        SHA256

        8add0b38828c1d98c42edc11ff90de9897f6d5bf336418bff10101ba85d65f87

        SHA512

        b9d644d786ad71f3b801f44f3c6e5375b8aa931b67a7338ee761aa742e1b59854e4dbdae748a549d4f9f5d624fd66485eee5d3a59073bf512be42d42fbf39124

      • C:\Users\Admin\AppData\Local\Temp\Exceed

        Filesize

        21KB

        MD5

        a15fb1f2fc25e382bc35a75af320c8d5

        SHA1

        db156f523e11d63ff07dd3a9d22ec6d81279d3ad

        SHA256

        6d67335c5beedeb1e53bc414f76ca3c2a811af1f920e2145d3f2ed04a892cedf

        SHA512

        2b77a59908219618a31da8bfe43a12d07746987ed18f2e98feee35bde77d2e6fa8e2ffc6ae4b6ee84b61e3e32465eba8e9601c962b62cc2cd263f66b890683d3

      • C:\Users\Admin\AppData\Local\Temp\Filled

        Filesize

        76KB

        MD5

        6734f9d63c2a86c37009889239ea9645

        SHA1

        382e96c0763a1b303ebbb486d098b02eb33e3693

        SHA256

        6d3e4f61e4bb756ef58c8d87628339c44f7b1ee667397ce2212bde29c434bcae

        SHA512

        b807d07afe4bf1dff19b0bf620eca8c5d1d464e5e02c3cdab956d82d55139c360c08c642320482ebdbed5d42fdf3c00d945210ab12eb47a3a53765129b12d5ab

      • C:\Users\Admin\AppData\Local\Temp\Grounds

        Filesize

        54KB

        MD5

        d8ff8ec0bf3e6d6adeced27764d7524c

        SHA1

        854859ab59e75a7b79e4b07a8c19e8bd93523676

        SHA256

        1486b6bf45f4c7d178c3d15dff7654be7bc56dc873754790bc33a40741f4980d

        SHA512

        caf6c4292d66011eae850e95fc37b96e5a0d873904ba95a4f0be6acf983828be54cef06f91af70e7a06eb039b4acf006a7efbb27cab094e7c469984243b8fd09

      • C:\Users\Admin\AppData\Local\Temp\Leu

        Filesize

        869KB

        MD5

        9ba9a85629b0428b7c45b5a0f89c06d6

        SHA1

        b401b4cc2461fc49144ab3883e0bbcf54bc8d5e7

        SHA256

        b5452a3ec7cd068fc89f74f39180c6f60177a7aaab21d80c2d749cd787f29ca3

        SHA512

        797ba0ae4425c9d22a73534f7352e8da38a6f2c3194f0d95bc3c4c1c19dafee900611805a832e2f4ccd5b59d29343b4a0971edbf2af6b09d0e9c8a53b40902f2

      • C:\Users\Admin\AppData\Local\Temp\Oe

        Filesize

        2KB

        MD5

        7a940180248437b3b48a7d50940ea91e

        SHA1

        dfc3091d7384844294f7ce6d6d798f84b703c54b

        SHA256

        a50ad1d8d7dea9fe80b3cfa1788af14570ea4488d4f142f5131e8d49f54db811

        SHA512

        2055bf18e4269b02dc4bdd6b44177a1ecf8df7cb9d1f8eff3be7b66f1df8c31e71c9e880822d03f34fbf5dc922a63064d096fe9e00961020a70d50f0d0399ba6

      • C:\Users\Admin\AppData\Local\Temp\Plymouth

        Filesize

        56KB

        MD5

        e371a4eed9e3fc4738cd2332743a6b48

        SHA1

        a942b830b65a494e502deb6af48abfe88e53373e

        SHA256

        f69928281be28923e2052bac547c37a8986286386bc10dc2143e58617ef2920b

        SHA512

        cd2b2662173ab7dd7ed0e35bda5b098c27d0df41bb10f47b05fec71783949ee5e4b5968a99132417cbd061a054c56e25d2075b0db719035c140229c8e57d7077

      • memory/816-35-0x0000000004180000-0x00000000041C5000-memory.dmp

        Filesize

        276KB

      • memory/816-36-0x0000000004180000-0x00000000041C5000-memory.dmp

        Filesize

        276KB

      • memory/816-37-0x0000000004180000-0x00000000041C5000-memory.dmp

        Filesize

        276KB

      • memory/816-38-0x0000000004180000-0x00000000041C5000-memory.dmp

        Filesize

        276KB

      • memory/816-39-0x0000000004180000-0x00000000041C5000-memory.dmp

        Filesize

        276KB