Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Resource
win10v2004-20240226-en
General
-
Target
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
-
Size
8.4MB
-
MD5
5d66f215d88815d93ff3b29f204c276e
-
SHA1
7d0d92489bc2ffacbf235db86047bdcf325b4197
-
SHA256
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae
-
SHA512
5256692f6f770a44ed06a0859b8208a11f714d045fb2d1646be9c7f3f92f2eb97a1fafb04862fa60f3cb534788113d9073c58275f85374dde6eda28ca3bc3df5
-
SSDEEP
196608:YDK0EFxDNP+GqTPga1sEBOgrSHBrMteIrC2ZLmMGF3q2Z2xmbKg:dhNP+PTYa1DOgrSHBrHIvmMV2ZhOg
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 352 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ZEset.exepid process 2476 ZEset.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeZEset.exepid process 2436 cmd.exe 2476 ZEset.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1248 schtasks.exe 2652 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exedescription pid process Token: SeIncBasePriorityPrivilege 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.execmd.execmd.exedescription pid process target process PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 2436 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 352 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 352 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 352 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2768 wrote to memory of 352 2768 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2436 wrote to memory of 1248 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 1248 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 1248 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 1248 2436 cmd.exe schtasks.exe PID 352 wrote to memory of 1656 352 cmd.exe PING.EXE PID 352 wrote to memory of 1656 352 cmd.exe PING.EXE PID 352 wrote to memory of 1656 352 cmd.exe PING.EXE PID 352 wrote to memory of 1656 352 cmd.exe PING.EXE PID 2436 wrote to memory of 2652 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 2652 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 2652 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 2652 2436 cmd.exe schtasks.exe PID 2436 wrote to memory of 2476 2436 cmd.exe ZEset.exe PID 2436 wrote to memory of 2476 2436 cmd.exe ZEset.exe PID 2436 wrote to memory of 2476 2436 cmd.exe ZEset.exe PID 2436 wrote to memory of 2476 2436 cmd.exe ZEset.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 963963963. /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 66668888 /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exeZEset.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~1FC0.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HZ~1FC0.tmp.batFilesize
266B
MD5057221334fdaa54c0590dc3254670c9f
SHA1ba8e2bb449ca73f44c5bbaeea0861d7b274a49bf
SHA2560d632469a3f86a1b15dead7160aca8c141dcc024560979a743e07651cb54a2f0
SHA512023c94ae7e81d59a9dfac7f103eea02607c55aad05447ac7fe8f6f1a5f33d92cdf1b0e28e67fe5aff727547964075cd0216efdc3736e3e17d9992af18bf6793e
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xmlFilesize
3KB
MD541cda77237ba299d8af684c9b205a19f
SHA108de6b44172c5c1d2436113cd89b7410af210a43
SHA2564802dc471fd2ffa4a500f0bfa75d489976190252921a3d3abf123696f30e49a7
SHA512210ef121a5768f5490aaffbf1a03d57bfc4552b61083394ace1c947c288b65d1ba2afb42f89ea7bba90385c682fb35acf25c72f593cb4959e9545067a700848a
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\WinRing0x64_BAK.sysFilesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\update.batFilesize
739B
MD5d071eb0d20845cb2f721e78ac0031a82
SHA1e6ea1251b65d9a2977fa416371d2fd53f5e79e96
SHA25699af987100fa3be8b58e268958407979159eb97fd67e690c3213df22de798c02
SHA51249209b0b6ba623afdf9f3aae05b41eed49b00b64287b158c0545cdbad490e3c03d8ad201bdd757a2fbadb147bb8f78410ca215ecb92baf05eb87474348b3a448
-
\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exeFilesize
1.6MB
MD512cccde966739407a7cfc4521bdc9089
SHA118d190af2ed44d5b32f8bfce29a4d858dca5d015
SHA256c8c767097cdac8f6c90828e8c73217bd2dbc49c133d4c580bccfbbd1dcd44627
SHA5128ba61bb21af5766bc9e94f3a0f8e7d6d4eb5f43502a5e9f93a9875ce0ce49ec05e2f2d82c71bd60bfdf262abff45e90eb2b25c05b8e06ae8f29aabee667fed68