Analysis
-
max time kernel
41s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Resource
win10v2004-20240226-en
General
-
Target
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
-
Size
8.4MB
-
MD5
5d66f215d88815d93ff3b29f204c276e
-
SHA1
7d0d92489bc2ffacbf235db86047bdcf325b4197
-
SHA256
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae
-
SHA512
5256692f6f770a44ed06a0859b8208a11f714d045fb2d1646be9c7f3f92f2eb97a1fafb04862fa60f3cb534788113d9073c58275f85374dde6eda28ca3bc3df5
-
SSDEEP
196608:YDK0EFxDNP+GqTPga1sEBOgrSHBrMteIrC2ZLmMGF3q2Z2xmbKg:dhNP+PTYa1DOgrSHBrHIvmMV2ZhOg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 664 schtasks.exe 1444 schtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.execmd.exedescription pid process target process PID 4844 wrote to memory of 2664 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 4844 wrote to memory of 2664 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 4844 wrote to memory of 2664 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 4844 wrote to memory of 4280 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 4844 wrote to memory of 4280 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 4844 wrote to memory of 4280 4844 a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe cmd.exe PID 2664 wrote to memory of 664 2664 cmd.exe schtasks.exe PID 2664 wrote to memory of 664 2664 cmd.exe schtasks.exe PID 2664 wrote to memory of 664 2664 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 963963963. /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 66668888 /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exeZEset.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~5E19.tmp.bat"2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HZ~5E19.tmp.batFilesize
266B
MD5057221334fdaa54c0590dc3254670c9f
SHA1ba8e2bb449ca73f44c5bbaeea0861d7b274a49bf
SHA2560d632469a3f86a1b15dead7160aca8c141dcc024560979a743e07651cb54a2f0
SHA512023c94ae7e81d59a9dfac7f103eea02607c55aad05447ac7fe8f6f1a5f33d92cdf1b0e28e67fe5aff727547964075cd0216efdc3736e3e17d9992af18bf6793e
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exeFilesize
1.6MB
MD512cccde966739407a7cfc4521bdc9089
SHA118d190af2ed44d5b32f8bfce29a4d858dca5d015
SHA256c8c767097cdac8f6c90828e8c73217bd2dbc49c133d4c580bccfbbd1dcd44627
SHA5128ba61bb21af5766bc9e94f3a0f8e7d6d4eb5f43502a5e9f93a9875ce0ce49ec05e2f2d82c71bd60bfdf262abff45e90eb2b25c05b8e06ae8f29aabee667fed68
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\base_library.zipFilesize
1.7MB
MD5334e5d6e591eccd91d2121194db22815
SHA1821d70c44dc7f25a784e9938d74e75a3471e1ad0
SHA2569e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5
SHA512bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xmlFilesize
3KB
MD541cda77237ba299d8af684c9b205a19f
SHA108de6b44172c5c1d2436113cd89b7410af210a43
SHA2564802dc471fd2ffa4a500f0bfa75d489976190252921a3d3abf123696f30e49a7
SHA512210ef121a5768f5490aaffbf1a03d57bfc4552b61083394ace1c947c288b65d1ba2afb42f89ea7bba90385c682fb35acf25c72f593cb4959e9545067a700848a
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\WinRing0x64_BAK.sysFilesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\config0.jsonFilesize
2KB
MD52fad585297f9c8559cac98dbd74274c9
SHA1881d1fb16289b22a2d7349cd700d6d8341caf334
SHA2562d9fcb24fcc0a8de32c557782c017e13aace9b188c824218f0685b62b8865bf1
SHA512cefd6b5180137cf1244b7159abba9374ed8a0da1157fb7974bb77615d438ac7938dba74b0850161fa3a8dddc4258dbb724251edb2943968be17c9ff25248aefb
-
C:\Users\Administrator\AppData\Local\pi_network_desktop\update.batFilesize
739B
MD5d071eb0d20845cb2f721e78ac0031a82
SHA1e6ea1251b65d9a2977fa416371d2fd53f5e79e96
SHA25699af987100fa3be8b58e268958407979159eb97fd67e690c3213df22de798c02
SHA51249209b0b6ba623afdf9f3aae05b41eed49b00b64287b158c0545cdbad490e3c03d8ad201bdd757a2fbadb147bb8f78410ca215ecb92baf05eb87474348b3a448