fda45010d8297cf7afd9ebb35510cf2628daf5fb247f7dad2c765e91674e2b52

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S3tupp__Pswrd--1231.rar
Size

29.3MB
MD5

dadbd17d0d0832e38e7d4bab8f47ac3d
SHA1

3a228e41c037b72f3f424fa0a15193ec25e3a133
SHA256

fda45010d8297cf7afd9ebb35510cf2628daf5fb247f7dad2c765e91674e2b52
SHA512

df7772e295161ba98dc1753f11c68c793affad5efac33c663e1715d1301e2e4e8a6aae9c8251f9a67426a9e1c64ac83c06afb27c441899ba078889f4dcd6fe41
SSDEEP

786432:i+pKhCnj7oI++Dwfw0Wwcn3GGQr7w4Y7xpYcV/pl36o7:iNAj++DwfKn3G97GPjr7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2328	7zFM.exe
Token: 35	2328	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2328	1960	cmd.exe	22
PID 1960 wrote to memory of 2328	1960	cmd.exe	22
PID 1960 wrote to memory of 2328	1960	cmd.exe	22

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\S3tupp__Pswrd--1231.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S3tupp__Pswrd--1231.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\7zO819708D6\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO819708D6\Setup.exe"
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\7zO819A6127\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO819A6127\Setup.exe"
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO819A6127\Setup.exe

Filesize
92KB

MD5
cfe55333b737cb9471b2ed844bd7754f

SHA1
327abdf2e91e2c082dc2080d6134744d84e464e6

SHA256
4332d30866355362ba3c3373107af172f9bed61774d41fe59a9799faa7b0b309

SHA512
8545d4bd07414dbb55653d7be25c41d90b3c1312d6c4c9db9eb9e6e02d0d0bc2c2e30f665feb8ab566efc7f0b7b45065b3ddaecbf816041559b7f56f3545387b

Download Submit
memory/2824-46-0x0000000000BC0000-0x0000000000C5B000-memory.dmp

Filesize
620KB

Download
memory/2864-45-0x00000000011A0000-0x000000000123B000-memory.dmp

Filesize
620KB

Download