f7af93833123166991144fc3d292b79e714e3b96456ead40ef0fbe0897b60286

Analysis

max time kernel
14s
max time network
17s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auto-reg__Camtasia_22.5.2.exe
Size

14.7MB
MD5

2c0d891072da3b262d81a0841ea6a293
SHA1

ae9f6bab721045a11524c0fe7982f4f623a8f12d
SHA256

f7af93833123166991144fc3d292b79e714e3b96456ead40ef0fbe0897b60286
SHA512

88acaacdcc279d8e6c779b30402d691c23413fe26c3a1ff1602de5a8d425299646b3dc74a4610b643c252d74ed3afbcd978f13d42517b6b8f51ffd87094e98cf
SSDEEP

393216:6OJVBjqqRCbj41A2H2SlgI+QqkUza2LxASiJ:BF6Ye3mgjkF2SSA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	7z2201.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	7z2201.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ga.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ka.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\az.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hu.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ko.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\si.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spc.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zG.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7zG.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fur.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ast.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\br.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.dll	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1684	tasklist.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2796	7z2201.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	tasklist.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2420	2964	auto-reg__Camtasia_22.5.2.exe	28
PID 2964 wrote to memory of 2420	2964	auto-reg__Camtasia_22.5.2.exe	28
PID 2964 wrote to memory of 2420	2964	auto-reg__Camtasia_22.5.2.exe	28
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2796	2420	cmd.exe	30
PID 2420 wrote to memory of 2900	2420	cmd.exe	31
PID 2420 wrote to memory of 2900	2420	cmd.exe	31
PID 2420 wrote to memory of 2900	2420	cmd.exe	31
PID 2420 wrote to memory of 2936	2420	cmd.exe	32
PID 2420 wrote to memory of 2936	2420	cmd.exe	32
PID 2420 wrote to memory of 2936	2420	cmd.exe	32
PID 2420 wrote to memory of 2828	2420	cmd.exe	33
PID 2420 wrote to memory of 2828	2420	cmd.exe	33
PID 2420 wrote to memory of 2828	2420	cmd.exe	33
PID 2420 wrote to memory of 2948	2420	cmd.exe	34
PID 2420 wrote to memory of 2948	2420	cmd.exe	34
PID 2420 wrote to memory of 2948	2420	cmd.exe	34
PID 2948 wrote to memory of 1684	2948	cmd.exe	35
PID 2948 wrote to memory of 1684	2948	cmd.exe	35
PID 2948 wrote to memory of 1684	2948	cmd.exe	35
PID 2420 wrote to memory of 1256	2420	cmd.exe	37
PID 2420 wrote to memory of 1256	2420	cmd.exe	37
PID 2420 wrote to memory of 1256	2420	cmd.exe	37
PID 2420 wrote to memory of 2204	2420	cmd.exe	38
PID 2420 wrote to memory of 2204	2420	cmd.exe	38
PID 2420 wrote to memory of 2204	2420	cmd.exe	38
PID 2420 wrote to memory of 396	2420	cmd.exe	39
PID 2420 wrote to memory of 396	2420	cmd.exe	39
PID 2420 wrote to memory of 396	2420	cmd.exe	39
PID 396 wrote to memory of 2376	396	cmd.exe	40
PID 396 wrote to memory of 2376	396	cmd.exe	40
PID 396 wrote to memory of 2376	396	cmd.exe	40
PID 2420 wrote to memory of 2428	2420	cmd.exe	41
PID 2420 wrote to memory of 2428	2420	cmd.exe	41
PID 2420 wrote to memory of 2428	2420	cmd.exe	41
PID 2428 wrote to memory of 1792	2428	cmd.exe	42
PID 2428 wrote to memory of 1792	2428	cmd.exe	42
PID 2428 wrote to memory of 1792	2428	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\auto-reg__Camtasia_22.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\auto-reg__Camtasia_22.5.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47YNRANY.bat" "C:\Users\Admin\AppData\Local\Temp\auto-reg__Camtasia_22.5.2.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\qbF7675CC.F8\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbF7675CC.F8\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2796
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\qbF7675CC.F8\P" "C:\Program Files\TechSmith\Camtasia 2022" /S /E /Y /R
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo ------ Camtasia successfully registered! ------ "
    3⤵
    PID:2936
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\Windows\system32\reg.exe
    Reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:1256
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47YNRANY.bat

Filesize
22KB

MD5
1774cda75182ab19404dde3204189948

SHA1
c6797d3b7cba460990bd738a8ea92ced51654f64

SHA256
c2861f1672136dce039b42e51f9eaaa5687e12205f3745df4f2f7f6a4b248b18

SHA512
9fdb53a30b7cf4777bf6c3666a00b1faa5a090fa47a7b22c0e7d8d62d1447b0e8fd1ee6bfadb9fc4af7b11be4e1d6f1ff0e092774a2e9028d04e0df25170f2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbF7675CC.F8\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbF7675CC.F8\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
\Program Files (x86)\7-Zip\7zFM.exe

Filesize
574KB

MD5
bbb2667d9b2fd922e52883a63e8cd948

SHA1
d4238ac5e2eb3ec7236e5e098ee3b31d26efebee

SHA256
69392e292a0e7195e0c96bbbfe989949d044b63dbce2e5324f1bb99aa2560e3f

SHA512
2f801ae372ca3fc4cd858b6d1783977c8357e5616f45311ffff70b3eee20490f2c6e34a12139a6c0b9faaaf6e59985fabc1cae22510e6b632bae425a58793681

Download Submit
memory/2964-229-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download