Resubmissions
13-02-2024 12:04
240213-n8wg3ahc2z 1004-12-2023 18:50
231204-xg8gzsec21 1004-12-2023 18:47
231204-xe7gxaec2v 10Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 12:04
Static task
static1
Behavioral task
behavioral1
Sample
Kviitung_04-12-2023.rar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kviitung_04-12-2023.rar
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Kviitung_04-12-2023.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Kviitung_04-12-2023.exe
Resource
win10v2004-20231215-en
General
-
Target
Kviitung_04-12-2023.rar
-
Size
602KB
-
MD5
fea76b9861cd494170f5edd89179dbb3
-
SHA1
a5c8b5a1aa7c786463609d0bc844a5710d1b4361
-
SHA256
128de5e09d0453bdce3abe943b88c72adb065971c9db3ee6e8075bd6651c356e
-
SHA512
297c0978417152f9b117fb22fa0afa456cf9070606e3965a9df0fcfdb9c62b1fb0d5e8e5af9203a2f20d6bd9af32d62182f24b60ffb5e4305ba0fb09efed980b
-
SSDEEP
12288:3H8nfotulgPDaqAc07qzo1n9oCgVrQhFBvyR0mMR:3RtdPDaPqzoF9OVrQFd1f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2992 7zFM.exe Token: 35 2992 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 2992 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2372 wrote to memory of 2992 2372 cmd.exe 7zFM.exe PID 2372 wrote to memory of 2992 2372 cmd.exe 7zFM.exe PID 2372 wrote to memory of 2992 2372 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2992