5961d0a8ebdc116b674d3231b5c8b01b35d3c7a191b0bb8ab5bb7b14352cc065

Resubmissions

24/02/2024, 23:32

240224-3jlc5agg36 10

19/02/2024, 20:03

240219-ys4tlscg37 10

19/02/2024, 20:01

240219-yrrsnacb2z 10

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

License/Driver Booster 11 PRO License.exe
Size

770KB
MD5

27cf0c7d37e5ffbab9b1a163544f3321
SHA1

3ed7493f213a01f7c99a4d11f56cfa7f79f90d0a
SHA256

4f6eba5f100a37005509d15782ca2991de72d027be766ba779f20e956555c29b
SHA512

f9ac54ee39c7192406a51a6e506b420387b2314facc31656b1acd3a69fdcb3060553b42122c5a6f5092083d71c20d4304b1ed067e9b1e481951c1a4798e0fa2d
SSDEEP

12288:HtLqu6mmCXykkkkkkkBgEgEQJrQXSmsw71AfyffvnZYyGPlWHiCXIEwc+4iAxtz+:HtLWjQXDsw+fAXnZWWHLfwcvxzF7di

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1588 created 1340	1588	Rosa.pif	12

Executes dropped EXE 2 IoCs

pid	Process
1588	Rosa.pif
832	Rosa.pif

Loads dropped DLL 2 IoCs

pid	Process
2768	cmd.exe
1588	Rosa.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 832	1588	Rosa.pif	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2708	tasklist.exe
2748	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2448	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1588	Rosa.pif
1588	Rosa.pif
1588	Rosa.pif
1588	Rosa.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	tasklist.exe
Token: SeDebugPrivilege	2748	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1588	Rosa.pif
1588	Rosa.pif
1588	Rosa.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1588	Rosa.pif
1588	Rosa.pif
1588	Rosa.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2768	2956	Driver Booster 11 PRO License.exe	29
PID 2956 wrote to memory of 2768	2956	Driver Booster 11 PRO License.exe	29
PID 2956 wrote to memory of 2768	2956	Driver Booster 11 PRO License.exe	29
PID 2956 wrote to memory of 2768	2956	Driver Booster 11 PRO License.exe	29
PID 2768 wrote to memory of 2708	2768	cmd.exe	31
PID 2768 wrote to memory of 2708	2768	cmd.exe	31
PID 2768 wrote to memory of 2708	2768	cmd.exe	31
PID 2768 wrote to memory of 2708	2768	cmd.exe	31
PID 2768 wrote to memory of 2580	2768	cmd.exe	32
PID 2768 wrote to memory of 2580	2768	cmd.exe	32
PID 2768 wrote to memory of 2580	2768	cmd.exe	32
PID 2768 wrote to memory of 2580	2768	cmd.exe	32
PID 2768 wrote to memory of 2748	2768	cmd.exe	34
PID 2768 wrote to memory of 2748	2768	cmd.exe	34
PID 2768 wrote to memory of 2748	2768	cmd.exe	34
PID 2768 wrote to memory of 2748	2768	cmd.exe	34
PID 2768 wrote to memory of 1656	2768	cmd.exe	35
PID 2768 wrote to memory of 1656	2768	cmd.exe	35
PID 2768 wrote to memory of 1656	2768	cmd.exe	35
PID 2768 wrote to memory of 1656	2768	cmd.exe	35
PID 2768 wrote to memory of 2568	2768	cmd.exe	36
PID 2768 wrote to memory of 2568	2768	cmd.exe	36
PID 2768 wrote to memory of 2568	2768	cmd.exe	36
PID 2768 wrote to memory of 2568	2768	cmd.exe	36
PID 2768 wrote to memory of 2588	2768	cmd.exe	37
PID 2768 wrote to memory of 2588	2768	cmd.exe	37
PID 2768 wrote to memory of 2588	2768	cmd.exe	37
PID 2768 wrote to memory of 2588	2768	cmd.exe	37
PID 2768 wrote to memory of 2696	2768	cmd.exe	38
PID 2768 wrote to memory of 2696	2768	cmd.exe	38
PID 2768 wrote to memory of 2696	2768	cmd.exe	38
PID 2768 wrote to memory of 2696	2768	cmd.exe	38
PID 2768 wrote to memory of 1588	2768	cmd.exe	39
PID 2768 wrote to memory of 1588	2768	cmd.exe	39
PID 2768 wrote to memory of 1588	2768	cmd.exe	39
PID 2768 wrote to memory of 1588	2768	cmd.exe	39
PID 2768 wrote to memory of 2448	2768	cmd.exe	40
PID 2768 wrote to memory of 2448	2768	cmd.exe	40
PID 2768 wrote to memory of 2448	2768	cmd.exe	40
PID 2768 wrote to memory of 2448	2768	cmd.exe	40
PID 1588 wrote to memory of 832	1588	Rosa.pif	43
PID 1588 wrote to memory of 832	1588	Rosa.pif	43
PID 1588 wrote to memory of 832	1588	Rosa.pif	43
PID 1588 wrote to memory of 832	1588	Rosa.pif	43
PID 1588 wrote to memory of 832	1588	Rosa.pif	43
PID 1588 wrote to memory of 832	1588	Rosa.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\License\Driver Booster 11 PRO License.exe
  "C:\Users\Admin\AppData\Local\Temp\License\Driver Booster 11 PRO License.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 10057
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10057\Rosa.pif
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Processing 10057\e
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif
      10057\Rosa.pif 10057\e
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1588
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:2448
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif
  2⤵
  - Executes dropped EXE
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif

Filesize
445KB

MD5
aa7be6d78640248972df52ffe33580d0

SHA1
081d6f0c550d5be15cd90043ead22ee0b29f5003

SHA256
92a6dfe5ecf10ac5a134ac74e0e9d5a43029e8ce5f32992cd46c7177c549ccca

SHA512
92cd3599495518a21efa0cea084481766811206c3090543977bb9324c0f38ad71d97907f5afbbe9e040348a3cce70fd2ebbed4189888c855bc853dcd7b4bb09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif

Filesize
142KB

MD5
4aef6854c95359713a25a64f5229e824

SHA1
e4deb04d1b093011fa21a219716213219dc3f3ed

SHA256
fc9df6243d78dadecfabe85003c3ed247cc68f526fb25c7e31c1b82974ba6bda

SHA512
6010c079431196efc60a0dc6c53f4a90976caf1dd2c871149bf5a9e713b4acd39b185fcffef4de9e777897e27c6330746d96abff8e6481c8df7798b4075f312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\e

Filesize
4KB

MD5
55507015c17e144dcad0ad65fde55d24

SHA1
681b9a102355de39ebbaa84cc5e5e84bda387598

SHA256
6b6a17274144289b69e0a8853656e84850764321e0cae1c1385c289ce2f33e20

SHA512
c49cfcc3d1e43b0959c80b53e1644a75e9f6dda8dc9bd09100226f8e47923b6a46c6170f237a5b875f5ca2b74194e2bd7edff765673b05168556d73270486c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Administrator

Filesize
178KB

MD5
d8f9dd4003de34471d0797f274ebe7bc

SHA1
393aceab75a29520961e52cd0756e8971f02f72a

SHA256
db576bf9cae0e2ec38f1efbcaad5e7941b3456bc7b9ab5d3570d281937ef007c

SHA512
bc34e3ee19055353eab85ef420a8ccbba81bc8ade7f745c7e7ca6fab6ebded5ffbce01bd2fec78bc8db661e89c62f021ff375d547670eb08050ac49e07ea657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Assume

Filesize
10KB

MD5
8c4c658f59e7e8626cf7f8a382cbe005

SHA1
7ca0681bab8878b032d2f084275a487fea690bcc

SHA256
462506a044d309cde8677030483e35b4ad323f7f93b4f82c667aa0426017bb1a

SHA512
d2077ef00c1f8753d7cd27b56aa2bcd266b046c3fe25eca58265ff0cc0e990234889eafb38cf55c16c98105cbaa785f66c4575b977958a26a0a1919069413f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bronze

Filesize
115KB

MD5
7dea798d8550a7eb8c0dac613d328119

SHA1
3c2a6577e063b7371c52108393c8637f338c70cc

SHA256
7c418482ec85689387802871cc2bc4a031b68328a60b90122d4e3d84cea306cf

SHA512
7750be47bcdd5225dd73eb7e06c500d50b43fe961424cc6f4c09f78648848e10175b137d032d73fecd7b9cc5e6469889d98ab39735c183c3b05447e7237ca7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Extending

Filesize
118KB

MD5
f2a6a75f93068cb427350af64f2b98a7

SHA1
e11e41958a8a3b68ff6a8a4bd126b9aff9849d0c

SHA256
28f253d9592bc6badf74dd1dbadda2d65a47e812cb2d75435b25f650cf06a9e5

SHA512
584bdb2eb53eaf86b85eff99c5f8253783421964e9ccc1d9226394b2135d75ef13d8d35369ebf569d5955fab5ba6acb98e6bf68a82a7b51a287470ac3816eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fields

Filesize
293KB

MD5
b38a37e518db3dd0646287e647da2791

SHA1
80ec5fed671f51a07cc6f30a411bf91056e0e4e3

SHA256
f938df0350470599eda1c3359637627f8cc261038eb6d7438b883ce4c0722580

SHA512
5aaacfe5a3a033b9b07601b1ec1be3079d3244a2a42238cd498ff32f165bcb128a2442a84954fa92dfa3ef7bb32fd4f1013e51ff13deb222d97759c09af332db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pressing

Filesize
220KB

MD5
96b80b99cf941e0851f2d4c6c739563f

SHA1
7cb29861f9e3c81241558eb558f7b6766b9601c2

SHA256
348fcc34733289fb855961990e9c8a7fd0d0b6841fa915b11fea3f354666cbde

SHA512
7d64d6ddfb54beb647f56dc4bcd8f71b8477046c325e5bb35d88149c55a998f69822a6572945e12a4416ea2985d73da7235cc754beddb007c36fbc96a977c35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Processing

Filesize
401KB

MD5
f8a1fc75b3bb6e1cac4cfaa82e25b698

SHA1
ebd7573bdcbfc9ac51742d198cc3287689417cb2

SHA256
07760b8ddfaa45d173d7565e35147019b204cfa4d9009d90755f33062c8b4741

SHA512
cae5ea4f51058cb6bbb4aa70e50eec87be028a607f824ac80ee13b94dbc67489dad831900c4b45f45b79891aa9ab7b78e92748385547ebe7ac44c92f07c1013b

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif

Filesize
548KB

MD5
1f438f71f5f0c30203011a646b220263

SHA1
e785ead8a357b159f1541972a365285add66cf3b

SHA256
bdd40ebf1721864986002d2eec2e11a3e1cd503107f35cb69b17738995c9eb1a

SHA512
40181109cfd067a74948a43a148e7d2389ef54bd067b373c2272c7441c6d77e2a4c0b4cd51cde5766b7fac60ceca33602e982e7ac0077c3f1c78d74e33c3a379

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10057\Rosa.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/1588-28-0x0000000077690000-0x0000000077766000-memory.dmp

Filesize
856KB

Download
memory/1588-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download