65a2750dad8a55c376c995915dd75f6456b4aa6464d720d09726683f73ce800c

Resubmissions

11-11-2023 14:21

231111-rpa9kagf3y 10

Analysis

max time kernel
145s
max time network
98s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
11-11-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.NET.zip
Size

7.1MB
MD5

c8fc145dcca77a5a139dbbb146d5e190
SHA1

20d8c82f50d28c11c4ca0b54157902f1f95f8940
SHA256

65a2750dad8a55c376c995915dd75f6456b4aa6464d720d09726683f73ce800c
SHA512

72f236c04bbe5e7a0c410bdfb388db20dd577d159f50fc3fe7e45be46d47bdf521e2bf42ef9209d66c55806668b350d2d625f5fa1f2925add545d66742cc8940
SSDEEP

196608:Pu9jyp8BUGsqtC97PGhVbZwc7ChFKuqdIG9ZByzDGDhumZ:2yWqGfUPeV+cGhouqd99z6DGDhumZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
200	1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe
2328	1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4868	7zFM.exe
4868	7zFM.exe
4868	7zFM.exe
4868	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4868	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4868	7zFM.exe
Token: 35	4868	7zFM.exe
Token: SeSecurityPrivilege	4868	7zFM.exe
Token: SeSecurityPrivilege	4868	7zFM.exe
Token: SeSecurityPrivilege	4868	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4868	7zFM.exe
4868	7zFM.exe
4868	7zFM.exe
4868	7zFM.exe
4868	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 200	4868	7zFM.exe	77
PID 4868 wrote to memory of 200	4868	7zFM.exe	77
PID 4868 wrote to memory of 2328	4868	7zFM.exe	79
PID 4868 wrote to memory of 2328	4868	7zFM.exe	79

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\.NET.zip
1⤵
PID:4128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4036

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\.NET.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\7zO4032CCE9\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4032CCE9\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe"
  2⤵
  - Executes dropped EXE
  PID:200
- C:\Users\Admin\AppData\Local\Temp\7zO4036A53A\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4036A53A\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe"
  2⤵
  - Executes dropped EXE
  PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe.log

Filesize
308B

MD5
40444bf6d2dcb924de9570922c00c175

SHA1
8a635d59a8c3bc141bbf9515de025454b2f363f5

SHA256
e3a6b4c43885f486e6a693d47609311c9d7b5d02136dd75cfa4ec569a27bbff2

SHA512
a0551facedd4310d1e5f610988f39c8f94a5e2118ca5022e31f9be9c99952ae44facd0bf614a91cddcc58351837a8054e409aaf0b537c229f33242ec1b86f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4032CCE9\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Filesize
102KB

MD5
a43cd48f398a3e6b64f0c038d4ed3efb

SHA1
45c628c283760b74ec1d116dc7107243fcec5404

SHA256
1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73

SHA512
2722acb8ebe1a951869f8243e739e335c0203af124acfc101f2cb2d83215b7b03aa1b43dcea081e4bdd0d008c701aaab220d1b7152f00fd91cb409c12f75c124

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4032CCE9\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Filesize
102KB

MD5
a43cd48f398a3e6b64f0c038d4ed3efb

SHA1
45c628c283760b74ec1d116dc7107243fcec5404

SHA256
1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73

SHA512
2722acb8ebe1a951869f8243e739e335c0203af124acfc101f2cb2d83215b7b03aa1b43dcea081e4bdd0d008c701aaab220d1b7152f00fd91cb409c12f75c124

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4036A53A\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Filesize
102KB

MD5
a43cd48f398a3e6b64f0c038d4ed3efb

SHA1
45c628c283760b74ec1d116dc7107243fcec5404

SHA256
1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73

SHA512
2722acb8ebe1a951869f8243e739e335c0203af124acfc101f2cb2d83215b7b03aa1b43dcea081e4bdd0d008c701aaab220d1b7152f00fd91cb409c12f75c124

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4036A53A\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Filesize
102KB

MD5
a43cd48f398a3e6b64f0c038d4ed3efb

SHA1
45c628c283760b74ec1d116dc7107243fcec5404

SHA256
1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73

SHA512
2722acb8ebe1a951869f8243e739e335c0203af124acfc101f2cb2d83215b7b03aa1b43dcea081e4bdd0d008c701aaab220d1b7152f00fd91cb409c12f75c124

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4036A53A\1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73.exe

Filesize
102KB

MD5
a43cd48f398a3e6b64f0c038d4ed3efb

SHA1
45c628c283760b74ec1d116dc7107243fcec5404

SHA256
1e91735f8f9419790ccf0ab4776075980d9fa7c2bf514b9f99ba73e3d9f40f73

SHA512
2722acb8ebe1a951869f8243e739e335c0203af124acfc101f2cb2d83215b7b03aa1b43dcea081e4bdd0d008c701aaab220d1b7152f00fd91cb409c12f75c124

Download Submit
memory/200-8-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download
memory/200-10-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download
memory/200-7-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/200-6-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download
memory/2328-18-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download
memory/2328-19-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2328-20-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download
memory/2328-21-0x00007FFB8FDF0000-0x00007FFB90790000-memory.dmp

Filesize
9.6MB

Download