a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae

Analysis

max time kernel
41s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
Size

8.4MB
MD5

5d66f215d88815d93ff3b29f204c276e
SHA1

7d0d92489bc2ffacbf235db86047bdcf325b4197
SHA256

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae
SHA512

5256692f6f770a44ed06a0859b8208a11f714d045fb2d1646be9c7f3f92f2eb97a1fafb04862fa60f3cb534788113d9073c58275f85374dde6eda28ca3bc3df5
SSDEEP

196608:YDK0EFxDNP+GqTPga1sEBOgrSHBrMteIrC2ZLmMGF3q2Z2xmbKg:dhNP+PTYa1DOgrSHBrHIvmMV2ZhOg

Score

7^/10

pyinstaller

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe

Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1432 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

664 schtasks.exe
1444 schtasks.exe

resource	yara_rule
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe	pyinstaller

pid	process
1432	PING.EXE

pid	process
664	schtasks.exe
1444	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.execmd.exe

description	pid	process	target process
PID 4844 wrote to memory of 2664	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 4844 wrote to memory of 2664	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 4844 wrote to memory of 2664	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 4844 wrote to memory of 4280	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 4844 wrote to memory of 4280	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 4844 wrote to memory of 4280	4844	a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe	cmd.exe
PID 2664 wrote to memory of 664	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 664	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 664	2664	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe
"C:\Users\Admin\AppData\Local\Temp\a8719935964133167d0f6f5e0997cb598aa65641887b90d5993c7b3f5f49e2ae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 963963963. /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml" /tn "checkfix" /ru administrator /rp 66668888 /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe
ZEset.exe
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~5E19.tmp.bat"
2⤵
PID:4280

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~5E19.tmp.bat
Filesize
266B

MD5
057221334fdaa54c0590dc3254670c9f

SHA1
ba8e2bb449ca73f44c5bbaeea0861d7b274a49bf

SHA256
0d632469a3f86a1b15dead7160aca8c141dcc024560979a743e07651cb54a2f0

SHA512
023c94ae7e81d59a9dfac7f103eea02607c55aad05447ac7fe8f6f1a5f33d92cdf1b0e28e67fe5aff727547964075cd0216efdc3736e3e17d9992af18bf6793e

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\ZEset.exe
Filesize
1.6MB

MD5
12cccde966739407a7cfc4521bdc9089

SHA1
18d190af2ed44d5b32f8bfce29a4d858dca5d015

SHA256
c8c767097cdac8f6c90828e8c73217bd2dbc49c133d4c580bccfbbd1dcd44627

SHA512
8ba61bb21af5766bc9e94f3a0f8e7d6d4eb5f43502a5e9f93a9875ce0ce49ec05e2f2d82c71bd60bfdf262abff45e90eb2b25c05b8e06ae8f29aabee667fed68

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\base_library.zip
Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\ZEset\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\checkfix\checkfix.xml
Filesize
3KB

MD5
41cda77237ba299d8af684c9b205a19f

SHA1
08de6b44172c5c1d2436113cd89b7410af210a43

SHA256
4802dc471fd2ffa4a500f0bfa75d489976190252921a3d3abf123696f30e49a7

SHA512
210ef121a5768f5490aaffbf1a03d57bfc4552b61083394ace1c947c288b65d1ba2afb42f89ea7bba90385c682fb35acf25c72f593cb4959e9545067a700848a

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\WinRing0x64_BAK.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\fix\config0.json
Filesize
2KB

MD5
2fad585297f9c8559cac98dbd74274c9

SHA1
881d1fb16289b22a2d7349cd700d6d8341caf334

SHA256
2d9fcb24fcc0a8de32c557782c017e13aace9b188c824218f0685b62b8865bf1

SHA512
cefd6b5180137cf1244b7159abba9374ed8a0da1157fb7974bb77615d438ac7938dba74b0850161fa3a8dddc4258dbb724251edb2943968be17c9ff25248aefb

Download Submit
C:\Users\Administrator\AppData\Local\pi_network_desktop\update.bat
Filesize
739B

MD5
d071eb0d20845cb2f721e78ac0031a82

SHA1
e6ea1251b65d9a2977fa416371d2fd53f5e79e96

SHA256
99af987100fa3be8b58e268958407979159eb97fd67e690c3213df22de798c02

SHA512
49209b0b6ba623afdf9f3aae05b41eed49b00b64287b158c0545cdbad490e3c03d8ad201bdd757a2fbadb147bb8f78410ca215ecb92baf05eb87474348b3a448

Download Submit