Overview

overview

7

Static

static

3

MSVCR100.dll

windows7-x64

MSVCR100.dll

windows10-2004-x64

WebView2Loader.dll

windows7-x64

WebView2Loader.dll

windows10-2004-x64

3

exe.exe

windows7-x64

exe.exe

windows10-2004-x64

3

i7.exe

windows7-x64

i7.exe

windows10-2004-x64

7

jli.dll

windows7-x64

3

jli.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    152s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    i7.exe

  • Size

    15KB

  • MD5

    4afcab972e98ecbf855f915b2739f508

  • SHA1

    615dc2fa827fab39e16a7e9721f484e7f4d34f8e

  • SHA256

    7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d

  • SHA512

    58258f74d7e35c5a83234a98bc033846be5a65146bd992e738a8678706a18c30759bd405fbb30a296181e2f92acb0219df8979030cc45d1cdec6ac06e8bc00d5

  • SSDEEP

    384:Gpsx5cnV21mSHhV8b+lee84SzFnYPLr7aq:GpscnfS/8KUe8jC7aq

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\i7.exe
    "C:\Users\Admin\AppData\Local\Temp\i7.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Users\Admin\AppData\Local\Temp.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess cmd.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5012
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\win.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\shutdown.exe
        SHUTDOWN -r -f -t 60
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess cmd.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess Users\Admin\AppData\Local\Temp.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3252
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess powershell.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\win.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\SysWOW64\shutdown.exe
        SHUTDOWN -r -f -t 60
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    3c380ef500f0e5d44d5664249d51a935

    SHA1

    be120b7bfb228ce763bc676f29b238b272d3bf1f

    SHA256

    1c40154d13ad49ab7fd05bf5ca9102f9cac16be3dcc832e643309fc29073bf6e

    SHA512

    bdd23198629d3a9c9ccf8335ffe0bed1443be52e875389c69237cdb2b3985447a04a1a5a710fdfd6e70c615cdc6da8c64a6a1a0c2a607be5a66bb929d5338f3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4fef0484557598a0f6480b769eca764f

    SHA1

    df8221befc48ab75401468b9e1a5a9ca5affd06e

    SHA256

    588af496792c3051778d124d4aae6c290cf32d336cc8c345ed1b4b0378332c99

    SHA512

    535704e8c2b3cb06a8d043898913f4fbf7e26fbaaca4fa0b1bf379e79e51c6d0178331e0cb78b6318f515270a179668ac1efdfa585d478c7185761810554c78c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4fef0484557598a0f6480b769eca764f

    SHA1

    df8221befc48ab75401468b9e1a5a9ca5affd06e

    SHA256

    588af496792c3051778d124d4aae6c290cf32d336cc8c345ed1b4b0378332c99

    SHA512

    535704e8c2b3cb06a8d043898913f4fbf7e26fbaaca4fa0b1bf379e79e51c6d0178331e0cb78b6318f515270a179668ac1efdfa585d478c7185761810554c78c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    6c5c02c7532cb105f2566952e03b9c71

    SHA1

    5fa5897c6fc90bdea6773d3493d883e2b934451c

    SHA256

    5fc963e4612e1b4d8d67f5bc1b6126871ba20fe172987d9d180b50182aed7ffc

    SHA512

    b966ab2bc800e654cbbb7983c6f5015b20f699c4bd1e41b6a358dd505e536c96fd6551a3f19a28ab930d7d4d129560203c1f3760635ebee2d2301137fde61e75

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    6c5c02c7532cb105f2566952e03b9c71

    SHA1

    5fa5897c6fc90bdea6773d3493d883e2b934451c

    SHA256

    5fc963e4612e1b4d8d67f5bc1b6126871ba20fe172987d9d180b50182aed7ffc

    SHA512

    b966ab2bc800e654cbbb7983c6f5015b20f699c4bd1e41b6a358dd505e536c96fd6551a3f19a28ab930d7d4d129560203c1f3760635ebee2d2301137fde61e75

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b5fb5e7e4c8ed59584402f543757fc3d

    SHA1

    f4aa4740044c1f88689ad79c469786d5c1f7c2f6

    SHA256

    7a8f02f096f9502a7ea2b4e3cdee18c6069bf493e3ce593b50fd7df0331f7e3e

    SHA512

    c275425a6a45b246c7e687e425f04c8b827f7f51e7c5f64f8f6422343686fa78455c6175a88327cc256b5638e68064db9c813001daed69fdc393c9ad26d54992

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    501417b34ec19ec178271b2834504338

    SHA1

    71e12439404d372c863b569fc305165acb448287

    SHA256

    d42fa6ce238d8c1e98971a74307dc9d45d3300a8e6267229e3ea9afeb9a7bcf1

    SHA512

    ef1a9c175746e8c83ff8be598d46ecd4cbe97fd9ca843939be32739cacac4adcc301833b7f4ea33cc5a0697d5de6f4f977e0b1b2821d3c56284c2693c8ecb2ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rezwkhhu.c4x.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\win.bat
    Filesize

    22B

    MD5

    3e8bb8d3131766d2bcd4725fa77bc813

    SHA1

    d3490f7ebf044f2bab2b3af64f1ade2321da62a1

    SHA256

    9f5948c641dc7c1475cf674b46bf3457709001bb92963477e3643c62557a9d7a

    SHA512

    ff3373cd9d882581528fe817460e4a34a3fa1b2916900f06df0f47ef6972dcdd1c50c78aad08e8b9d17d37d8e0df3fddba268f88369f770365784dd395ebd293

    Download Submit

  • C:\Users\win.bat
    Filesize

    22B

    MD5

    3e8bb8d3131766d2bcd4725fa77bc813

    SHA1

    d3490f7ebf044f2bab2b3af64f1ade2321da62a1

    SHA256

    9f5948c641dc7c1475cf674b46bf3457709001bb92963477e3643c62557a9d7a

    SHA512

    ff3373cd9d882581528fe817460e4a34a3fa1b2916900f06df0f47ef6972dcdd1c50c78aad08e8b9d17d37d8e0df3fddba268f88369f770365784dd395ebd293

    Download Submit

  • memory/440-5-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-60-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-129-0x000000007EF60000-0x000000007EF70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/440-15-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/440-85-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/440-26-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/440-2-0x00000000023A0000-0x00000000023D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/440-83-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/440-69-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/440-67-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/984-127-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/984-79-0x0000000002A70000-0x0000000002A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-166-0x0000000006E10000-0x0000000006E2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1548-55-0x0000000006040000-0x000000000608C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1548-3-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1548-4-0x0000000004C10000-0x0000000005238000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1548-7-0x0000000004A00000-0x0000000004A22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1548-11-0x0000000005460000-0x00000000054C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1548-174-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-59-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1548-68-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-170-0x0000000006E70000-0x0000000006E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1548-165-0x0000000007470000-0x0000000007AEA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1548-84-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1548-71-0x0000000002280000-0x0000000002290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-95-0x0000000006090000-0x00000000060AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1548-130-0x000000007FA00000-0x000000007FA10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1548-8-0x00000000053F0000-0x0000000005456000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1548-108-0x0000000006D00000-0x0000000006DA3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1548-21-0x00000000054D0000-0x0000000005824000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1548-54-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3252-75-0x0000000002E30000-0x0000000002E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3252-74-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3252-173-0x0000000002E30000-0x0000000002E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3252-178-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4304-63-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-106-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4304-9-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4304-62-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4304-14-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-175-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-72-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-10-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-66-0x00000000049E0000-0x00000000049F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4304-82-0x000000007F090000-0x000000007F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4720-56-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4720-272-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4720-70-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4720-0-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4720-270-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4720-1-0x0000000000E90000-0x0000000000E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4720-177-0x0000000000FE0000-0x0000000001A8B000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/4820-96-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4820-77-0x0000000002920000-0x0000000002930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-76-0x0000000002920000-0x0000000002930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-81-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-80-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-78-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5012-107-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5012-12-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-13-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-65-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-61-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5012-64-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-6-0x0000000073520000-0x0000000073CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5012-176-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-73-0x0000000002A20000-0x0000000002A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5012-172-0x0000000007710000-0x0000000007721000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5012-171-0x0000000007790000-0x0000000007826000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5012-131-0x000000007FBA0000-0x000000007FBB0000-memory.dmp

    Filesize

    64KB

    Download