Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2023 22:12
General
-
Target
infected.zip
-
Size
11.4MB
-
MD5
20378da4066af3d5b0ac9f0d6879e752
-
SHA1
b6486b33e22c02ee93d32200f2f4f4dbb2dcc08d
-
SHA256
c7d5c2d7df032671544a0974fb292e2131b541469ef1daf9c103c1a534a8ee60
-
SHA512
9cc56049ab71c2df9f41f9faa5b30848d33721d1911bca2190ed2a0fae4e54ff959568362a0f0769f985660cab7035816e8cebc30ae35997238b07c671510a31
-
SSDEEP
196608:W/yaLXILj6fFsb16m9kGRii2BSe2qE3LsGqjRGPnosvg93p9N0MY/6FGD2TDY:W/fSj0ebv2G2MJqE389GPnPvgb0Mz4Z
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe cryptone C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe cryptone -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll acprotect C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 3872 Client.exe -
Loads dropped DLL 1 IoCs
Processes:
Client.exepid process 3872 Client.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll upx C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dll upx behavioral1/memory/3872-277-0x0000000010000000-0x000000001003B000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7zFM.exe7zG.exedescription pid process Token: SeRestorePrivilege 2204 7zFM.exe Token: 35 2204 7zFM.exe Token: SeSecurityPrivilege 2204 7zFM.exe Token: SeRestorePrivilege 2640 7zG.exe Token: 35 2640 7zG.exe Token: SeSecurityPrivilege 2640 7zG.exe Token: SeSecurityPrivilege 2640 7zG.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zFM.exe7zG.exeClient.exepid process 2204 7zFM.exe 2204 7zFM.exe 2640 7zG.exe 3872 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 3872 Client.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Client.exepid process 3872 Client.exe 3872 Client.exe 3872 Client.exe 3872 Client.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\infected.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\infected\" -spe -an -ai#7zMap436:96:7zEvent235081⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe"C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exeFilesize
6.4MB
MD58624f5450d12dc8176edeb2473076156
SHA1e0b470210439f0bfdeb0cd8e394a23c3e5c01a19
SHA2568f24d878fa71e2ecc85a67d230d47476434bf845348c5651455e7d56b815e9ae
SHA512a6142d4c845a1a02775fbde5155f9bac257a1115347581db6c535977f1534f282ed189c2d2fc3af8169d844ad04545ed0c10eff26545391ebe58da09cf0b58ed
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.exeFilesize
6.4MB
MD58624f5450d12dc8176edeb2473076156
SHA1e0b470210439f0bfdeb0cd8e394a23c3e5c01a19
SHA2568f24d878fa71e2ecc85a67d230d47476434bf845348c5651455e7d56b815e9ae
SHA512a6142d4c845a1a02775fbde5155f9bac257a1115347581db6c535977f1534f282ed189c2d2fc3af8169d844ad04545ed0c10eff26545391ebe58da09cf0b58ed
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Client.iniFilesize
337B
MD59d63e1be1d6db9b2b71bda5a922de35f
SHA19552f4c1ae0d32b69911f278177024065f56d8b1
SHA256a000ab2a922e50cd2c27fdf725958147c819cf0d5a08ecc99d9287ecb8ff1f80
SHA512838755e3499145e6a5b3392763097e937d369a583c61f7f7a9dad51705b56d23a471730709a67e748846a41060281aa2744b06d46c64c6341ce4e9af30663fd4
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\Plugins\QQwry.datFilesize
9.9MB
MD5ef60d4bf05da99c5d23a9ace6add5d27
SHA109f4182d5474efdd3c88822b2532c38cc16fde89
SHA25671c82f666885ac7ced69bbb11276f6893bfcfd37b63c34d925480798bbcdf295
SHA512ab95640e155de9dc7ea0b5b9f764bbe993bc80cedd8f401ecc53719da21fa882b9cdcca5395a9976c353309d3581e524bda497f382aae993768f48d52a2a6e01
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dllFilesize
89KB
MD51a3c27813a808a558f5ca49f6a7d14aa
SHA1910424d61a3f2fff71b2670f5b738cfecc4974f5
SHA2569f1463942ad4a8156c460b02d47b8e8b80c3cee630d2d07f690a18e168fb7ddc
SHA512b413c885928093334c04caf367e3dbbcb7c0493963860ed7bc4a45aefcac2680c2188e1aa1ec7c36637d97f67cbb34ed1f6412356a6f708a6d3fe640ae606fa7
-
C:\Users\Admin\AppData\Local\Temp\infected\Bin\SkinH.dllFilesize
89KB
MD51a3c27813a808a558f5ca49f6a7d14aa
SHA1910424d61a3f2fff71b2670f5b738cfecc4974f5
SHA2569f1463942ad4a8156c460b02d47b8e8b80c3cee630d2d07f690a18e168fb7ddc
SHA512b413c885928093334c04caf367e3dbbcb7c0493963860ed7bc4a45aefcac2680c2188e1aa1ec7c36637d97f67cbb34ed1f6412356a6f708a6d3fe640ae606fa7
-
memory/3872-277-0x0000000010000000-0x000000001003B000-memory.dmpFilesize
236KB