1663117400c2a309b93d04c9d99858c1508b43cf9a54a8590eb437448e015ec3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo_Intime_AppBeta_v2.1.rar
Size

5.9MB
MD5

f3e4c9aaa59f480fb3c2cb69333ff076
SHA1

93474290b5fcc2178ce09f0d67607ff34f170319
SHA256

1663117400c2a309b93d04c9d99858c1508b43cf9a54a8590eb437448e015ec3
SHA512

423e8480ca77806fdac685a81c5d2920e3087b6d77b13fe31bb6657de425bc1c084cd752c0d81c7beead0afef5d78bf1f34ef175c08b8006df654af5c9850210
SSDEEP

98304:QvlZVHUk4bdmkfXNCX4/rp8XjYJzs2xSje6/tlGJb76W1C+F3lwm/FnvjgCODq:GTmbdmSXNCI/m+zsGSZoJb76EwmdnvQ2

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

Photo Intime AppData v2.1.exePhoto Intime AppData v2.1.exe

pid process

2868 Photo Intime AppData v2.1.exe
2176 Photo Intime AppData v2.1.exe
Loads dropped DLL 2 IoCs

Processes:

Photo Intime AppData v2.1.exePhoto Intime AppData v2.1.exe

pid process

2868 Photo Intime AppData v2.1.exe
2176 Photo Intime AppData v2.1.exe

pid	process
2868	Photo Intime AppData v2.1.exe
2176	Photo Intime AppData v2.1.exe

pid	process
2868	Photo Intime AppData v2.1.exe
2176	Photo Intime AppData v2.1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll	upx
behavioral1/memory/2176-61-0x0000000074AF0000-0x0000000074FF3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exePhoto Intime AppData v2.1.exe

pid process

2832 7zFM.exe
2176 Photo Intime AppData v2.1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2832 7zFM.exe
Token: 35 2832 7zFM.exe
Token: SeSecurityPrivilege 2832 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2832 7zFM.exe
2832 7zFM.exe

pid	process
2832	7zFM.exe
2176	Photo Intime AppData v2.1.exe

description	pid	process
Token: SeRestorePrivilege	2832	7zFM.exe
Token: 35	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe

pid	process
2832	7zFM.exe
2832	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.exe7zFM.exePhoto Intime AppData v2.1.exe

description	pid	process	target process
PID 2060 wrote to memory of 2832	2060	cmd.exe	7zFM.exe
PID 2060 wrote to memory of 2832	2060	cmd.exe	7zFM.exe
PID 2060 wrote to memory of 2832	2060	cmd.exe	7zFM.exe
PID 2832 wrote to memory of 2868	2832	7zFM.exe	Photo Intime AppData v2.1.exe
PID 2832 wrote to memory of 2868	2832	7zFM.exe	Photo Intime AppData v2.1.exe
PID 2832 wrote to memory of 2868	2832	7zFM.exe	Photo Intime AppData v2.1.exe
PID 2832 wrote to memory of 2868	2832	7zFM.exe	Photo Intime AppData v2.1.exe
PID 2868 wrote to memory of 2176	2868	Photo Intime AppData v2.1.exe	Photo Intime AppData v2.1.exe
PID 2868 wrote to memory of 2176	2868	Photo Intime AppData v2.1.exe	Photo Intime AppData v2.1.exe
PID 2868 wrote to memory of 2176	2868	Photo Intime AppData v2.1.exe	Photo Intime AppData v2.1.exe
PID 2868 wrote to memory of 2176	2868	Photo Intime AppData v2.1.exe	Photo Intime AppData v2.1.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Photo_Intime_AppBeta_v2.1.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Photo_Intime_AppBeta_v2.1.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\7zO01B08F36\Photo Intime AppData v2.1.exe
"C:\Users\Admin\AppData\Local\Temp\7zO01B08F36\Photo Intime AppData v2.1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\7zO01B08F36\Photo Intime AppData v2.1.exe
"C:\Users\Admin\AppData\Local\Temp\7zO01B08F36\Photo Intime AppData v2.1.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO01B08F36\Photo Intime AppData v2.1.exe

Filesize
6.0MB

MD5
5bd1a6656f2d4703e4e64e35cd1d262f

SHA1
58a734f9f04f0f5483b3e9cdd4cbba4e576f8191

SHA256
ac087ddea7f9dfc2a7706515726f95236f0db6b40d27033a836d1df45c98a29c

SHA512
6dd22bf4086094ce8fac17c69b69f4361a18604dd79e9ccf269a0ff67950d3248c45924b61f21f96327109e455c6dc9f98c38ad40ece6b879c12fc3b39782cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll

Filesize
1.4MB

MD5
063dcb73b746f525e25a24eafec70f67

SHA1
53e2f24c9d6000347c4c116f244605cd7b54a395

SHA256
e9120dc9b4b2f105db6d2b32c2bd2f5ef34d422ac85578cf2b4d342534003c41

SHA512
3cc1a07395a01c643d6d8550a3532fa2a8927fdcd893142dee7ce9d897ba6f7492d9b0ddcac4b961af8bd2a6eed2342e2208a1bcc222c871c74f7bafad2515d4

Download Submit
memory/2176-61-0x0000000074AF0000-0x0000000074FF3000-memory.dmp

Filesize
5.0MB

Download