b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-01-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe
Size

2.5MB
MD5

da5ffbe5ca612a03fadbcef8f3fd38de
SHA1

0b12f1b7bda89f18f84586e31e4ffde1e3379847
SHA256

b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4
SHA512

5028c09cce60a102f9ab92e035e5595c825e9c962a744ac1c0e3fcab39f46413ad9745b193508b5c6ffb301b8e752d3c585a9f25a068e0169a8bc72f8f959f87
SSDEEP

49152:X95tQNQaAGEbSFfSgf6uW1govv74BKHcJiUnJ/i+1oHeXvshN:X952bA1kWuWdvzMXtJ/i+1oHUshN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2568	7z.exe
2680	7z.exe
2468	7z.exe
2728	7z.exe
1940	7z.exe
2472	Installer.exe

Loads dropped DLL 10 IoCs

pid	Process
2340	cmd.exe
2568	7z.exe
2340	cmd.exe
2680	7z.exe
2340	cmd.exe
2468	7z.exe
2340	cmd.exe
2728	7z.exe
2340	cmd.exe
1940	7z.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 1472	2472	Installer.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Installer.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2472	Installer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1472	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2568	7z.exe
Token: 35	2568	7z.exe
Token: SeSecurityPrivilege	2568	7z.exe
Token: SeSecurityPrivilege	2568	7z.exe
Token: SeRestorePrivilege	2680	7z.exe
Token: 35	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeRestorePrivilege	2468	7z.exe
Token: 35	2468	7z.exe
Token: SeSecurityPrivilege	2468	7z.exe
Token: SeSecurityPrivilege	2468	7z.exe
Token: SeRestorePrivilege	2728	7z.exe
Token: 35	2728	7z.exe
Token: SeSecurityPrivilege	2728	7z.exe
Token: SeSecurityPrivilege	2728	7z.exe
Token: SeRestorePrivilege	1940	7z.exe
Token: 35	1940	7z.exe
Token: SeSecurityPrivilege	1940	7z.exe
Token: SeSecurityPrivilege	1940	7z.exe
Token: SeDebugPrivilege	1472	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2340	2792	b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe	37
PID 2792 wrote to memory of 2340	2792	b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe	37
PID 2792 wrote to memory of 2340	2792	b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe	37
PID 2792 wrote to memory of 2340	2792	b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe	37
PID 2340 wrote to memory of 2552	2340	cmd.exe	28
PID 2340 wrote to memory of 2552	2340	cmd.exe	28
PID 2340 wrote to memory of 2552	2340	cmd.exe	28
PID 2340 wrote to memory of 2568	2340	cmd.exe	35
PID 2340 wrote to memory of 2568	2340	cmd.exe	35
PID 2340 wrote to memory of 2568	2340	cmd.exe	35
PID 2340 wrote to memory of 2680	2340	cmd.exe	34
PID 2340 wrote to memory of 2680	2340	cmd.exe	34
PID 2340 wrote to memory of 2680	2340	cmd.exe	34
PID 2340 wrote to memory of 2468	2340	cmd.exe	33
PID 2340 wrote to memory of 2468	2340	cmd.exe	33
PID 2340 wrote to memory of 2468	2340	cmd.exe	33
PID 2340 wrote to memory of 2728	2340	cmd.exe	32
PID 2340 wrote to memory of 2728	2340	cmd.exe	32
PID 2340 wrote to memory of 2728	2340	cmd.exe	32
PID 2340 wrote to memory of 1940	2340	cmd.exe	31
PID 2340 wrote to memory of 1940	2340	cmd.exe	31
PID 2340 wrote to memory of 1940	2340	cmd.exe	31
PID 2340 wrote to memory of 2464	2340	cmd.exe	30
PID 2340 wrote to memory of 2464	2340	cmd.exe	30
PID 2340 wrote to memory of 2464	2340	cmd.exe	30
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2340 wrote to memory of 2472	2340	cmd.exe	29
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42
PID 2472 wrote to memory of 1472	2472	Installer.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe
"C:\Users\Admin\AppData\Local\Temp\b57fe599791c010401a65bd6064dfd0ea26c71853999077198056bb821a8d1a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2340

C:\Windows\system32\mode.com
mode 65,10
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
1⤵
- Views/modifies file attributes
PID:2464

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p202360552045190481288228861 -oextracted
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.1MB

MD5
cd54ef30090ff1e8c449f7c7d7215bb4

SHA1
96bdc05d74b6a4b5b2fad53ca055a41a00b54c8d

SHA256
7303ea7bed83e033ffcb0dc60c24c96795d2b61910440c28766ae821cd4bbd44

SHA512
9bff1a610688a1c76cebab8cb25a0849c6fda5e888f7d2b5370e8c0f8b91e8efb81c78b179a885a4753b321dc778728f4330a115b6db568d80990ec830898861

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
337d64af42edcd311737a1b90961c0f9

SHA1
f8d629e57d670e009266a4fcbfdc940e41105194

SHA256
5540d82644dc8e4dc4009a54aba5e2545959aa802f5d9e05da549aeec0d7f5fc

SHA512
2fc15093cf7ff815998116987b71037799d4e7c4d97564e3c320c57349feb3b13af9770dbcd19b54bb6ad3186ba8b9d1abdef406d582db71cdd460cd81a85601

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
92KB

MD5
acffdc31f6d80f204375147644fd3437

SHA1
4ca721f135c4f31dfec93554c30d751a9cccca3d

SHA256
13a926262a6388325d8118a0eb15e425d91252262b8bd79f87c1f8a42bedb81f

SHA512
b30bde48bf91010ad5aaefb63ff800124df7734ac80b68a582943371c04db3c9b4e54bfe46e2675b05ce0e7a1ab625f554711d3cb0967e13f3fa443924a75237

Download Submit
memory/1472-97-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1472-99-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1472-103-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1472-106-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1472-107-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1472-108-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/1472-109-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1472-110-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-96-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download