Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe
Resource
win10v2004-20241007-en
General
-
Target
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe
-
Size
65KB
-
MD5
a70dbc079f9fe5c9729526477515e9e0
-
SHA1
75e00eb31ba762ea155c3f7d78a137313c05c9ae
-
SHA256
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0c
-
SHA512
2fc1f287d4ec9e4e162f03e03dfd0817b999313b92a7f20fade406b4494ffea3c2be6f30facaf30efce9cbbb1cda9d38c09808f1a9e3dc4463230ba6a4aaf9de
-
SSDEEP
768:MDcpEBMLfQcubV5wGE96YyXDTLdEBBBBZ:MDcfLfIbtEbyXfZc
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2088 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
zskhost.exepid process 2896 zskhost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
Processes:
attrib.exe3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exedescription ioc process File opened for modification C:\Windows\Debug\zskhost.exe attrib.exe File created C:\Windows\Debug\zskhost.exe 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe File opened for modification C:\Windows\Debug\zskhost.exe 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exeattrib.exezskhost.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exedescription pid process target process PID 1688 wrote to memory of 2236 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe attrib.exe PID 1688 wrote to memory of 2236 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe attrib.exe PID 1688 wrote to memory of 2236 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe attrib.exe PID 1688 wrote to memory of 2236 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe attrib.exe PID 1688 wrote to memory of 2088 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe cmd.exe PID 1688 wrote to memory of 2088 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe cmd.exe PID 1688 wrote to memory of 2088 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe cmd.exe PID 1688 wrote to memory of 2088 1688 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe"C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\zskhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3AD4B2~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2088
-
C:\Windows\Debug\zskhost.exeC:\Windows\Debug\zskhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5fcc82cd8b627616bf9318b871a6c4974
SHA19051a2232d7f19cb1d55abc585e948ea27f9275b
SHA2564e01eabb8231fe18aceb87bd81a485f9bccf192f5d00958498b3412fb9222523
SHA512880717b10f33f35c2ce9a9605eaac1739935764e3b15b9e6b9da891194ef299da26bda281c39d88e82cc7c491fe2a892b8611e42cdcbb695ff59eeabe4c6eb31