Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 02:17

General

  • Target

    be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe

  • Size

    9.3MB

  • MD5

    8acbaebce4aad71c51039fa86b9a3a31

  • SHA1

    dfeeddd2de68073b97ef5c9adc474c15738c4df7

  • SHA256

    be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6

  • SHA512

    8c12681fcbec8cd9a4b12eaa8273cafd7f44d4074e8f42928a4eec2d1775cc450b1dfe1f85812d4aba95e022efc18800c7cff680be1ab0c4e693e3e6bca27f0a

  • SSDEEP

    6144:SSK/ymZ3ctTWQHf5w5i5iLCK1/KMSVT86JQPDHDdx/Qtqp:3e0TlHf5w5i5iLCK1/RShPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 28 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe
    "C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\zilszgs.exe
      "C:\Users\Admin\AppData\Local\Temp\zilszgs.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3620
    • C:\Users\Admin\AppData\Local\Temp\zilszgs.exe
      "C:\Users\Admin\AppData\Local\Temp\zilszgs.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • System policy modification
      PID:4304
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      6c3de8497c66555c2c275bd84162006f

      SHA1

      aa1e6ffd49adb39085291a27bc2a8d6d0bedd103

      SHA256

      7a11f2a964e06c30803ff1b8aa867cb71b6cc8412b4e2b14e394f9e5f49f37fa

      SHA512

      deae1303d5b49c50445a7482f724ade619c35fab566e9d6865c03b6ee657f23205bef93d011ca9683bb3551837f11cf876db6278480ba743e3726e5330ce4137

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      608e9a205ce20f9c635bef7254d5b11b

      SHA1

      c14b2cd46ccbc0a9e85b6538d3c0a84b159f1a6f

      SHA256

      40f2b81cc985083e8f4884c2ebc0ff94997bfbe454494a3762632ccab296b473

      SHA512

      d0b42dfe4e285e9495b87e190d0ef6d1b5e78b676578b64eb7bae47a141e2c47b42cb3cee72ebc41ac2460c35aba16db090bdb47faef129bbb526a1970846052

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      5761815c5e52104aec0f8835241f36bf

      SHA1

      6c041f0f317c99cdc9c8c9283c28336e0a1af0aa

      SHA256

      89dd88f0d4111f5f20a290d3a8cbe88f73b7c7e2f4a299a01335f7e1cc4a88ea

      SHA512

      b3c611ea032a1aa93d468e1e9d3d8c511602cf1b2678059e713263a650bdd405a6caf4d6a3d4a7d83b8cc28548b7f5227f0ca8994fddeecade4652d6990f8400

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      690d99f5e077fc55f8db96747ffe6889

      SHA1

      c30c439b29042b0cb063508dd45e521250f5165d

      SHA256

      87780f6577242d547afef8ccd5f66904f00eefcdae2340b9fe6c973964e7bb89

      SHA512

      237df60540d2003535aa30a25b05c40b8af0fc095b48d8d3eb5847c2a1190e4002cb4520a749613302da13eef0c1f0cc5bae718e1ed5111be93ea04c1d484785

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      972a4c43a286309ac7f98a9c57962aae

      SHA1

      30a2006d7a8e01d5f2a81c579e44eb53785581b5

      SHA256

      26bc0b9248aa38a991d3f78debd11ebab3bd7b54ec92117986a11b52559416ee

      SHA512

      38248e024be8d9518dcf11f534b1d3e53fae02976e3844404f91a290784e7281a3011e44971efd99eb2d5a0403c2adf32d4cfcd5310eaf3ecaf6e37be1efbd8c

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      cc05cc22c461092b35c2a74ed5cc50d1

      SHA1

      ce16bdf4f2524b27605a0988dea9e72a28300b9c

      SHA256

      f5805a400e1158b8e0879341d0825dec0f2bef384c5274f430bbc89299de9499

      SHA512

      21cfb2d3d6fa6149004dd00f064fb07e472705355292bfbd61d60c2187890579cb0d361a3523fce10df130fb8bcd96ea5d0937fc29f5c1d8a312a16bd1e18193

    • C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      f0080f3d8992fd14cad3f118a0336500

      SHA1

      29aa75868c9f1d5a1bb58f1deccd0011f5fc8b3d

      SHA256

      a85c87c305ed36cc9a1d579a2ab65bdc8305d9fd06a6f90936c05cdef28d5d40

      SHA512

      33ba390482def90a9ab5c5e0d67df455651ad0c691c6979194459430db1fb7892da1914553e1f0d9e0bf00e5cb9a8af54936376181ce9b761257898f4030e205

    • C:\Users\Admin\AppData\Local\Temp\zilszgs.exe

      Filesize

      11.3MB

      MD5

      979162ec5187e7dce7c5c6fe9383d5a4

      SHA1

      9f3b9046be083403b378d8cd2998ee399e12cd21

      SHA256

      e379b18e73c370a4ef27fb9d7c7844d3cdf300b3b2d47e3f5777161a19ab71d0

      SHA512

      f664185447aa0d89ac680f9b01cd5904a6eb0d5e16d4fe0a5ced208667cee2e12f5a2e48f8f32eaa42892cd1e0101bb90161e563d55832947941aef46f1c85c4

    • C:\Users\Admin\AppData\Local\syycgktuwzjgnvhsnzmsswaeno.tda

      Filesize

      272B

      MD5

      6878790f713a7b8f01f0642aac043f01

      SHA1

      627a445154ff9a956d2ff7bb4f2908413b847ac2

      SHA256

      8479ced68258e604453f49580638912ba277f6262c9349e4af4bd529c817aeab

      SHA512

      2dced776ac1dbfd20abec07b1f87a73307650b51ab7e33fc84985267504e6d6fd8e517d74c75dc3e9790a620967b9920c639398c2aae13cc187a80a9727c115f

    • C:\Users\Admin\AppData\Local\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet

      Filesize

      3KB

      MD5

      e4d3f414f1cd20c1073c7e7bb3ddc669

      SHA1

      a360f2fa2fdedef02ae41f14180b10bf230957d2

      SHA256

      a9618b5dc3f6600594bc14634f40425d618675fa4259092b2bb3ba3c055b0e67

      SHA512

      b10dce9da849b7d044a3b3c68d707bb26cdfb3cb9e2d897462c76920ca17cd1a8bf27b31bcad5ed5f4d153d67459dd65f2568b7487f1cf77f687ca0434f132b7