Malware Analysis Report

2024-12-08 00:41

Sample ID 240205-b8vvbafhd5
Target file_ver2.rar
SHA256 0580c368750949c6793fcf215adf542529fd2a2df2586d6e0eb030df3753f62d
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0580c368750949c6793fcf215adf542529fd2a2df2586d6e0eb030df3753f62d

Threat Level: Shows suspicious behavior

The file file_ver2.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-05 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-05 01:49

Reported

2024-02-05 01:54

Platform

win7-20231215-en

Max time kernel

88s

Max time network

89s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file_ver2.rar

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58C10E51-C3C9-11EE-9305-4AE60EE50717} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file_ver2.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_ver2.rar"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8FC2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11cc0cfdffcf4c70aeb6a66406b2abfe
SHA1 22419bfc560082e5a2e220ddfa4783b8ecdad1d3
SHA256 677d25df94c31eb19a4aa2abcd395be08be460d7a0ec26e4bfd7d7ae09bbf897
SHA512 92ca0e750dba49b429b1e84c1a5ab4b4de2c9cf72823aa457da7f7c95295aabe5d4fba92e967d3c8262b8c8f6d317d118ff2b60b99ffd9f0ccd612c99805b25b

C:\Users\Admin\AppData\Local\Temp\Tar9054.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7dd2f72ef5b5a79c4890e129b06de64f
SHA1 eae1e626b9086e8a18f77e5d6453023df1d3f20a
SHA256 6c8e25d8bc261c0232668112937aaa958c2914f27c6a3fcc8737736716b9d7cd
SHA512 eff856b18c8274448afd1be7c745ab2ca0715910300bbd6781d12556c1d10d4a80ed2a20306c8d2fe72a2575e4588cb56f0e192064ba008e96068adc3ae74f8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae071eb55ea341a504c52c2e2f4bfc0c
SHA1 8e8ce6502008bdb9541fad448d2d205095ea0cf6
SHA256 37ebad1cc8918db26b7d8c716385aad16f70f831d487fabf1303fb27afa026dd
SHA512 38718c678e502f33ab5937330ada5a903d5181276234ad390f35dd80412460558e8f3a832e588a35e417d789cda76d865c7b35ae5a0123851c106542a2842adc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aebcaed1dd16f5c4e7d6b9faa9713a56
SHA1 554bc046f3271b1c0942a28a85678970ffbb4c45
SHA256 e4b8a903bf3803dc79afc79f0b2b49977ef7a4fc93dc941fad044bd9f7c6fc73
SHA512 8467eae04ee310b76204095cd503c505d96e102a2e0c997be07183084abbdbade1a5af95beac807125705efb65cb931d0796ba53bc8568d1b24782800ce77702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cab2747c78dda884f61918b4a376df1
SHA1 d5ca7a2fdfffb45fb12a1f606ce0286000cf193b
SHA256 82aeb0a4edd8aeae519762e2e97434774e00d157027e6a29206a9ff7f13e59e1
SHA512 2f1834e895af5ed461614f239737ef73b1ad70eae949ba6aac06259b78561aea60c7f48680b722ae242defe7ae74640a7499804ad4184287e42b36e3c6045054

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 326af30163dd7754d65e7d93ebf45487
SHA1 eab48fed96d768ac3a7f9dd92466e28cd831d6eb
SHA256 3c7ac6a375946a68375614e632067a543c76991f47322a42a3f20f87d323c6a2
SHA512 012acbf4aec36be90464ba426097ca260f23d48d24906abdbe7448f9df543981748bdb9edc9b720f1aa65bf57b156a3ff8bff805d917f109cc3749585b152f97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbc1b43bfebdfb6348eddb551ec7058d
SHA1 62d17c642e93193b83d9801d719b61f9cde7af56
SHA256 09a8d7d82c79ad58b990c389416082f8ce0b84ee24d4a4fe28b639e292b725cc
SHA512 262a767336ed099f2228e8d651ad2fca36e77473be8147e5ddfd7fe249ae37b183d69d6481490249c8f882f8f6da542a4effd77603299a03cd15778c7f0a2115

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e60ad30331db8dd993d8ecca9645e32
SHA1 6578ca554332371a16e06d50d92a78cf6ca9b021
SHA256 612684fb2c253849b44a20e757c1931691c8b542b2cff03842e8fb76ddca62e2
SHA512 532007cd7e1b614dde6edfe6842270315cc6ab2f139addbd34a2896ecb8aac79f99ed5332be7afe0643a6465d64e7825c99986669c8c354109304d4658b9ccbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ef729cb0a227934cc30156a7b21ce78
SHA1 07ed269b9773922784b9f4e959f7b17fe1356f35
SHA256 1e6a0cd3790dbf96158319e3a3649486a9b9da24d4fa37aa185b329139a51d11
SHA512 9083a5245e2a8097578dfc4d1c857b2e21cfe2717dd7553a3ce31a32414f33aa9d1100ef1f5e33bcbb1387a196380b813b114df81bdb431b6a0aee7b77e9e81c

C:\Users\Admin\AppData\Local\Temp\~DF54459CBD4DA96D1F.TMP

MD5 8745ff5d52fa1867dc46aff0ad9dd75e
SHA1 8dac39e3fcd8141af9234b1476f055943159ea9c
SHA256 e37a46460096ed9f9cdc11840cc3ea4b02d606b1bc752167980154f205d41ec0
SHA512 db1bb2c6f7cf052f2297ca747dc55c0e9b1d688ba11e46a0e6903ab44493a2a81c83a264dc379bfe8ee4a2f2ab6fa67e2b27edf3f30a6c24eaec7895943034c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-05 01:49

Reported

2024-02-05 01:54

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

90s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file_ver2.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2280 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file_ver2.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_ver2.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A