cc938a7173b4bf5863d698d322be43378d520bdea430a390496b016c85410706 | Triage

Sharing

General

Target

zxc.exe
Size

6KB
Sample

241121-ybnfaszmdr
MD5

1037e4868002ea28986b067e602219d5
SHA1

eb606ee00af1c8e3982d827819feb020e552602e
SHA256

cc938a7173b4bf5863d698d322be43378d520bdea430a390496b016c85410706
SHA512

4924969ef9398f3a45ada5dfbaeab93d92d761100fd174075b53fbfe116738b31bc338a904a102631a7239ee8f82b8bd3ca222053385fb686820ef543ea6e183
SSDEEP

96:TH79mNb60qvjnMmt3VI9dXlO5NzO6M8Ac/h6zanF3d3oj4rl:P9gqvjn3QdXlWNzOH8Ac/hT3d/

Score

10^/10

defense_evasion evasion execution persistence

Malware Config

Targets

- Target
  
  zxc.exe
- Size
  
  6KB
- MD5
  
  1037e4868002ea28986b067e602219d5
- SHA1
  
  eb606ee00af1c8e3982d827819feb020e552602e
- SHA256
  
  cc938a7173b4bf5863d698d322be43378d520bdea430a390496b016c85410706
- SHA512
  
  4924969ef9398f3a45ada5dfbaeab93d92d761100fd174075b53fbfe116738b31bc338a904a102631a7239ee8f82b8bd3ca222053385fb686820ef543ea6e183
- SSDEEP
  
  96:TH79mNb60qvjnMmt3VI9dXlO5NzO6M8Ac/h6zanF3d3oj4rl:P9gqvjn3QdXlWNzOH8Ac/hT3d/
Score

10^/10

defense_evasion evasion execution persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Indicator Removal

Clear Windows Event Logs

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

defense_evasionevasionexecutionpersistence

behavioral2

defense_evasion

behavioral3

defense_evasionevasionexecutionpersistence

behavioral4

defense_evasionevasionexecutionpersistence

behavioral5

defense_evasionevasionexecutionpersistence