Analysis
-
max time kernel
130s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
04-10-2022 22:47
General
-
Target
shell.bin.zip
-
Size
281KB
-
MD5
a7f4e980a3f9231a56ad3eef1d30d541
-
SHA1
fbc883217853f00a96995c30b6e58a8a44e23557
-
SHA256
74ba32641122d422cc3a5edcf2395242cf67449e33fac79a1678df7af53f8d7a
-
SHA512
035664f4b686683edb8edb5faea6e8cfcb5cd09d03b80ac0a5daaf2d8741ab2298c17f79d605327ebc210e2b15d8327d6321f709a92582bee6a3195aac966627
-
SSDEEP
6144:OFjR/WBGYkuPZwmVVLdzFVdVlBSrQBtCbrhHyZtbqh4OUDzLEcsV98jy:OWGUqmVBdxVdPBS2CbrZyZtbqyLEcs7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\shell.bin.zip1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4781⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\shell.bin\" -spe -an -ai#7zMap20791:98:7zEvent271781⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe"C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exeC:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exeFilesize
403KB
MD54c64b7afcf85249f09da741c700eabb1
SHA118286de90456e26005c346430d1891522a8b985b
SHA256644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f
SHA51217dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa
-
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exeFilesize
403KB
MD54c64b7afcf85249f09da741c700eabb1
SHA118286de90456e26005c346430d1891522a8b985b
SHA256644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f
SHA51217dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa
-
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exeFilesize
403KB
MD54c64b7afcf85249f09da741c700eabb1
SHA118286de90456e26005c346430d1891522a8b985b
SHA256644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f
SHA51217dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa
-
\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exeFilesize
403KB
MD54c64b7afcf85249f09da741c700eabb1
SHA118286de90456e26005c346430d1891522a8b985b
SHA256644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f
SHA51217dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa
-
memory/1296-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmpFilesize
8KB
-
memory/1608-59-0x00000000002B0000-0x00000000002FC000-memory.dmpFilesize
304KB
-
memory/1608-61-0x00000000004014E0-mapping.dmp
-
memory/1608-63-0x0000000076171000-0x0000000076173000-memory.dmpFilesize
8KB
-
memory/1608-64-0x00000000002B0000-0x00000000002FC000-memory.dmpFilesize
304KB