74ba32641122d422cc3a5edcf2395242cf67449e33fac79a1678df7af53f8d7a

Resubmissions

04/10/2022, 22:47

221004-2qptfscgf3 8

20/10/2020, 18:23

201020-ygfgc9a6ja 8

Analysis

max time kernel
130s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shell.bin.zip
Size

281KB
MD5

a7f4e980a3f9231a56ad3eef1d30d541
SHA1

fbc883217853f00a96995c30b6e58a8a44e23557
SHA256

74ba32641122d422cc3a5edcf2395242cf67449e33fac79a1678df7af53f8d7a
SHA512

035664f4b686683edb8edb5faea6e8cfcb5cd09d03b80ac0a5daaf2d8741ab2298c17f79d605327ebc210e2b15d8327d6321f709a92582bee6a3195aac966627
SSDEEP

6144:OFjR/WBGYkuPZwmVVLdzFVdVlBSrQBtCbrhHyZtbqh4OUDzLEcsV98jy:OWGUqmVBdxVdPBS2CbrZyZtbqyLEcs7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
660	shell.bin.exe
1608	shell.bin.exe

Loads dropped DLL 1 IoCs

pid	Process
660	shell.bin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 1608	660	shell.bin.exe	38

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE
Token: SeRestorePrivilege	360	7zG.exe
Token: 35	360	7zG.exe
Token: SeSecurityPrivilege	360	7zG.exe
Token: SeSecurityPrivilege	360	7zG.exe
Token: SeDebugPrivilege	660	shell.bin.exe
Token: SeDebugPrivilege	1608	shell.bin.exe
Token: SeDebugPrivilege	1608	shell.bin.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
360	7zG.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1608	660	shell.bin.exe	38
PID 660 wrote to memory of 1608	660	shell.bin.exe	38
PID 660 wrote to memory of 1608	660	shell.bin.exe	38
PID 660 wrote to memory of 1608	660	shell.bin.exe	38
PID 660 wrote to memory of 1608	660	shell.bin.exe	38

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\shell.bin.zip
1⤵
PID:1988

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\shell.bin\" -spe -an -ai#7zMap20791:98:7zEvent27178
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:360

C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe
"C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe
  C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe

Filesize
403KB

MD5
4c64b7afcf85249f09da741c700eabb1

SHA1
18286de90456e26005c346430d1891522a8b985b

SHA256
644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f

SHA512
17dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe

Filesize
403KB

MD5
4c64b7afcf85249f09da741c700eabb1

SHA1
18286de90456e26005c346430d1891522a8b985b

SHA256
644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f

SHA512
17dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe

Filesize
403KB

MD5
4c64b7afcf85249f09da741c700eabb1

SHA1
18286de90456e26005c346430d1891522a8b985b

SHA256
644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f

SHA512
17dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa

Download Submit
\Users\Admin\AppData\Local\Temp\shell.bin\shell.bin.exe

Filesize
403KB

MD5
4c64b7afcf85249f09da741c700eabb1

SHA1
18286de90456e26005c346430d1891522a8b985b

SHA256
644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f

SHA512
17dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa

Download Submit
memory/1296-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1608-59-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download
memory/1608-63-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1608-64-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download