a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Size

8.4MB
MD5

5d66f215d88815d93ff3b29f204c276e
SHA1

7d0d92489bc2ffacbf235db86047bdcf325b4197
SHA256

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae
SHA512

5256692f6f770a44ed06a0859b8208a11f714d045fb2d1646be9c7f3f92f2eb97a1fafb04862fa60f3cb534788113d9073c58275f85374dde6eda28ca3bc3df5
SSDEEP

196608:YDK0EFxDNP+GqTPga1sEBOgrSHBrMteIrC2ZLmMGF3q2Z2xmbKg:dhNP+PTYa1DOgrSHBrHIvmMV2ZhOg

Score

7^/10

pyinstaller

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

352 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ZEset.exe

pid process

2476 ZEset.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeZEset.exe

pid process

2436 cmd.exe
2476 ZEset.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1656 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1248 schtasks.exe
2652 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe

description pid process

Token: SeIncBasePriorityPrivilege 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe

pid	process
352	cmd.exe

pid	process
2476	ZEset.exe

pid	process
2436	cmd.exe
2476	ZEset.exe

resource	yara_rule
\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe	pyinstaller

pid	process
1656	PING.EXE

pid	process
1248	schtasks.exe
2652	schtasks.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.execmd.execmd.exe

description	pid	process	target process
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 352	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 352	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 352	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2768 wrote to memory of 352	2768	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2436 wrote to memory of 1248	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 1248	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 1248	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 1248	2436	cmd.exe	schtasks.exe
PID 352 wrote to memory of 1656	352	cmd.exe	PING.EXE
PID 352 wrote to memory of 1656	352	cmd.exe	PING.EXE
PID 352 wrote to memory of 1656	352	cmd.exe	PING.EXE
PID 352 wrote to memory of 1656	352	cmd.exe	PING.EXE
PID 2436 wrote to memory of 2652	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2652	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2652	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2652	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 2476	2436	cmd.exe	ZEset.exe
PID 2436 wrote to memory of 2476	2436	cmd.exe	ZEset.exe
PID 2436 wrote to memory of 2476	2436	cmd.exe	ZEset.exe
PID 2436 wrote to memory of 2476	2436	cmd.exe	ZEset.exe

C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
"C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 963963963. /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 66668888 /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe
ZEset.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~1FC0.tmp.bat"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1656

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~1FC0.tmp.bat
Filesize
266B

MD5
057221334fdaa54c0590dc3254670c9f

SHA1
ba8e2bb449ca73f44c5bbaeea0861d7b274a49bf

SHA256
0d632469a3f86a1b15dead7160aca8c141dcc024560979a743e07651cb54a2f0

SHA512
023c94ae7e81d59a9dfac7f103eea02607c55aad05447ac7fe8f6f1a5f33d92cdf1b0e28e67fe5aff727547964075cd0216efdc3736e3e17d9992af18bf6793e

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml
Filesize
3KB

MD5
41cda77237ba299d8af684c9b205a19f

SHA1
08de6b44172c5c1d2436113cd89b7410af210a43

SHA256
4802dc471fd2ffa4a500f0bfa75d489976190252921a3d3abf123696f30e49a7

SHA512
210ef121a5768f5490aaffbf1a03d57bfc4552b61083394ace1c947c288b65d1ba2afb42f89ea7bba90385c682fb35acf25c72f593cb4959e9545067a700848a

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\WinRing0x64_BAK.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat
Filesize
739B

MD5
d071eb0d20845cb2f721e78ac0031a82

SHA1
e6ea1251b65d9a2977fa416371d2fd53f5e79e96

SHA256
99af987100fa3be8b58e268958407979159eb97fd67e690c3213df22de798c02

SHA512
49209b0b6ba623afdf9f3aae05b41eed49b00b64287b158c0545cdbad490e3c03d8ad201bdd757a2fbadb147bb8f78410ca215ecb92baf05eb87474348b3a448

Download Submit
\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe
Filesize
1.6MB

MD5
12cccde966739407a7cfc4521bdc9089

SHA1
18d190af2ed44d5b32f8bfce29a4d858dca5d015

SHA256
c8c767097cdac8f6c90828e8c73217bd2dbc49c133d4c580bccfbbd1dcd44627

SHA512
8ba61bb21af5766bc9e94f3a0f8e7d6d4eb5f43502a5e9f93a9875ce0ce49ec05e2f2d82c71bd60bfdf262abff45e90eb2b25c05b8e06ae8f29aabee667fed68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads