Analysis
-
max time kernel
222s -
max time network
228s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
29-11-2024 00:39
General
-
Target
ZOD-master.zip
-
Size
41KB
-
MD5
ae6438a5a41352e5b7b37918259bea69
-
SHA1
684f4e642980875422c1e666ee349d9aee5c337f
-
SHA256
d53a7858a392b314ef7e63d5d8d2f7fa8b6067dc0b9cc926adf219c0c4c0b768
-
SHA512
28b14be2cadcc3d37afd2a501e553bb5d8df42cb376609c587348a2bfd3eab35e81b76ff2f61b1951a606739834eda607f9dc4334ea60f00bb806edb269c9784
-
SSDEEP
768:XUMiHEhp2vCIODrhNGkAalt/bp2GiKlIPJV1Aoi+vZPJSFmGiU0Jv1uwiX:XUKP2vCF1Aalt/keIPhDjZPJSFmLa
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ZOD-master.zip"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22cbfab5-a5fd-4b24-b348-da6f6c38fdc7} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fda9a85-e996-4844-a62d-626ad2f03efd} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3328 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c979321f-8300-4df3-82de-c77bad1730d1} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1224 -childID 2 -isForBrowser -prefsHandle 900 -prefMapHandle 3692 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e188a61a-b551-45a5-a84d-7fc213a59364} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5733421a-b5c5-4efa-841c-613367b04fca} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5196 -prefMapHandle 5092 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c156227-1ca6-4a9b-a5d8-40e4793d5e22} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f831b7-f0db-4eb8-a7ce-f25484c95393} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9974951c-9a70-424f-8f23-69b449d18ed5} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -childID 6 -isForBrowser -prefsHandle 6100 -prefMapHandle 6096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaf5c4a-e7eb-4805-b64c-cfd51734fa53} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD51951c676f38f6c912bbce80a31d83ec8
SHA111ac1455c8c090ef6dba02667cb5dda70bfb8dfc
SHA256ae784e274d59a5c7ec672d98e1206426f802c00f66e723c81f65ee0e1df3d490
SHA512c91981c0089317526270003f8acd96f1a717fe7d5e8deabe40ad2472024a4fd01b568cb2e29f6ff9c33c305705c34f93a949b545273d26e97543ceb34e1d6286
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD57abe6e2d4d0d13deaf2a4ff84b0be52f
SHA13cd849e133adb497480adace045e840071f21de0
SHA256f49c25b7f4c43aaec8ab5ced2b5545faf79752f1de520737f1bdcc4dbb5284cc
SHA512a40420f1dbfdcbe39d2c0632763d2f3f435706b2f099dad65a4c921ae7575d93663a7333952dc3d3008ba07e92de36ed23c9271631922a20fc09a45e185d8c45
-
Filesize
12KB
MD59c9a84511bb6f65621b634a15808d958
SHA11f1f21b30c2a957bafd9859893b2147d6fefbd62
SHA25636567d99e8e43f79b7b81b8ff70e823ece498accd95cb26d3a458209dbc13c7b
SHA512f98f9d5bce13c5ac52f1a3a6909fbff84fc9aa46bc33eb2917eae418b9efc60acbff59cce97784039313dcfa335cabbb6a26a19a3e065504c62379241bf7e296
-
Filesize
21KB
MD53f66eece3e9674f94a68b775b69885be
SHA153b259e71aa845848be0babc19a5e48e679226a5
SHA256f5e9529698b5d0b1c030681c9b3d8477352a4a43405a60f6a56bf98ca2fe2dee
SHA512759194c15dbeb9486d8b0d210d57fb4d06f3c038b1dc586d9f7ef86c19d01a1e999018b19ae47b1fad9955e8da28417bd3f26a566bb7207bde8febdadd363fde
-
Filesize
982B
MD515d88da2bedd7dc266a160ba4c025c31
SHA1e52f7915bdcfac990958c12e2d8c73f5e4430bd4
SHA25609fe547d467416bd3a9595608cf928b3ea1b1ac2e86292251e824ae7b075e2e8
SHA512876d2db95b4e55c953f596246ad3213d9f2a7d26cee8475f0c370ce9d4ed1d9828e0081ae667586515b1db0aaebbb3d7455b02df590df81c8671501d65734613
-
Filesize
659B
MD5fb313d3c168113b66595b1e15da0ba9d
SHA1ad812ac95285e6f7eb146f17e70d6c4431135f4b
SHA256ac5ff53e313d26db5d38a0a8d5bb8d6dd891bb33726020bc6ad469864a778c31
SHA5124ea3f50b39341b1a6243833e6e9f79a5230541fc1804d880c43242669eddeb17c231ddb739125e1951a7f0f7f9ef4b61438337081efbb07b26e471c5f54a68c1
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5b79be3272d21913c4051ef8ed899d241
SHA1986b557fb37652e16500374d3612f43001019216
SHA2564ea91109d597c5e6a79fd3d691e26c80bb41846b3e8872c00ddd4d8f8c7a446c
SHA5122367d3d63abfc2caef02334128a3d987acccddc4b471ca3060edd030e9bb65964ce0111d0b95dfe8ae0fb811284bbf2686d18670bdd7db380f323a8bbd77f871
-
Filesize
10KB
MD5a9eaddfba37f86ffba6678e102c9acc9
SHA1e1e52e204ea982cc391aa29a7f0826e29133965c
SHA25620c4012135d1de638d73d4bb21a5f48426f126e49e33ecef3bae477a906a1b4e
SHA51213e92ed8a8e19b2881c06ddac02693e4812df05ec216fa8421ddb1189ccec68855b389989ae7796009de0a098ef392bc70d1d694a75508d91a3f151dd4ac4dfa
-
Filesize
10KB
MD5d3d372f9a484a45cec16041c16a82b90
SHA124ff7c5c07eac3f6842fe81ee25c52c7604721f0
SHA25638d351353b7577db6775bce36250b2df8f5ed870658d24e99c7486697cf8a3ae
SHA5121a82cae0a04020f6a937080ebf31f151eb8423ef262af302c8a04190e2e42ff2bbdef46d531118560ec409509efe1acddacaada79085a87a334e959ed8349bd7
-
Filesize
3KB
MD5dd5f058facf2ddc472e91a9e0c963aba
SHA195aad705a6dba3149eed8953b8311196e97c1007
SHA256b2a3ec22304683188d4f6049c8d0d74c577dda912b57f4ad301b3e798a5d4a1a
SHA512a2327d7092078dd803a177ddeab9244b6b6a43b2f17bd285fc903ad153f3279f7c372b9e6ca97a086e0c792e434b50a65789a6f90deaff7aaf4a63a9e9fff3b7