705dffc3bbb0269cf07dd30663eac4d42774400a995d35b9a852f35d97548889

Resubmissions

11-03-2024 08:37

240311-kjdn6sfg5y 10

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostTool.rar
Size

14.2MB
MD5

2ec6529ee57f5664b5c921324ba0905c
SHA1

033a29688c7ca373a6de29ae89f37a735669add8
SHA256

705dffc3bbb0269cf07dd30663eac4d42774400a995d35b9a852f35d97548889
SHA512

648d3babe00497c30bcb32e860a4c5caf7123311810dd3b9878e2c5e76039b64aec93e315e6eedfad4731901806ce8fc82a38c87d406fc3c2656ec7dbe901110
SSDEEP

196608:+VOENbNNhARt7Fm/sM8kwQxYk1hYd7M+i4ctWJ1YXJzGvir/vB/+e:+8KVAH7WZwQx7hB+V+WJ14GvAp/R

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2472	BoostTool.exe
2308	BoostTool.exe
632	BoostTool.exe
3040	BoostTool.exe

Loads dropped DLL 8 IoCs

pid	Process
2600	7zFM.exe
2472	BoostTool.exe
2308	BoostTool.exe
2600	7zFM.exe
632	BoostTool.exe
3040	BoostTool.exe
1256	Process not Found
1256	Process not Found

Detects Pyinstaller 13 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002d000000015c3a-27.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-29.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-30.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-31.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-117.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-116.dat	pyinstaller
behavioral1/files/0x000500000001a3de-123.dat	pyinstaller
behavioral1/files/0x000500000001a3de-126.dat	pyinstaller
behavioral1/files/0x000500000001a3de-127.dat	pyinstaller
behavioral1/files/0x000500000001a3de-212.dat	pyinstaller
behavioral1/files/0x000500000001a3de-213.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-216.dat	pyinstaller
behavioral1/files/0x002d000000015c3a-217.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2600	7zFM.exe
Token: 35	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2600	2332	cmd.exe	29
PID 2332 wrote to memory of 2600	2332	cmd.exe	29
PID 2332 wrote to memory of 2600	2332	cmd.exe	29
PID 2600 wrote to memory of 2472	2600	7zFM.exe	32
PID 2600 wrote to memory of 2472	2600	7zFM.exe	32
PID 2600 wrote to memory of 2472	2600	7zFM.exe	32
PID 2472 wrote to memory of 2308	2472	BoostTool.exe	33
PID 2472 wrote to memory of 2308	2472	BoostTool.exe	33
PID 2472 wrote to memory of 2308	2472	BoostTool.exe	33
PID 2600 wrote to memory of 632	2600	7zFM.exe	34
PID 2600 wrote to memory of 632	2600	7zFM.exe	34
PID 2600 wrote to memory of 632	2600	7zFM.exe	34
PID 632 wrote to memory of 3040	632	BoostTool.exe	35
PID 632 wrote to memory of 3040	632	BoostTool.exe	35
PID 632 wrote to memory of 3040	632	BoostTool.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostTool.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BoostTool.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe

Filesize
13.6MB

MD5
d890fbd93a3c6b362e7670b0de23d018

SHA1
56bb6e492aa85de6ffb19a0313f86c5d5f3a32b9

SHA256
cf1723cba12c552921aa51ce10ee549a6ce9c19ec04fc77d2c3951a91739d661

SHA512
08d86da9fa0f3a416e065c6b7306fb5404a8404a9f74a1af56acb0fd06837130c3179f83eb38d7847386a1ae62cab98920d48a25deb5469e5e867cd8f815fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe

Filesize
1007KB

MD5
d55b247a64c5f5a2a62652430b0da75d

SHA1
f818c8918bfbc9e18d47980488c617a7ccab14a2

SHA256
7ece3d6211008f5c1c76206f18ada90f7130f36b0be06b16e76e70413ab1986a

SHA512
981cba4a713df7f77932d06515251a7ff13986f8681708853514a3156b1d984e7669558f38feeb535b0dba41a517323310fab4680a9a80a54e05273efe2df6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe

Filesize
2.3MB

MD5
b56dfff3dcd7cc94750cf61ac46e6d19

SHA1
a9f76f05cc89abe39ef296f82c8970788e5472d2

SHA256
ea2f9a8f34c8e25d3bdc8cd09d19f8777faa8a7fbf59af44d338a7d74ef4d4c8

SHA512
094c0890f7dc9cc6e2918165a58950954f2498e406d8d3715cc98360e307c20881ca574b1571e788439f9e65da93b5ae2f9be0ae466c04de7d782693584bb3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
2.7MB

MD5
9ed7493e65fadbd2a60150af0ca30d41

SHA1
11a2b8ecc3e00edfff842b6dc3fcbdbec43661a5

SHA256
525217b043e2673e0ffcc367050d741219eb0a2068c983e12e7db7035ffd5fe2

SHA512
ca13a5b5da5b608e68575d986787dbd4cc498728f42607c46d377a9cd2ceb2396c872036af3d7fdd9b3ca9c22b48f5bf9c6d46f5230f8575e25d6ac376fe34f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
832KB

MD5
d8be7023ea583a5f95c4bb1518fde01c

SHA1
ac86ba95baf7026c569b5e0acb2f92a6dbefd08b

SHA256
198c2d6cbe314233feb65e0909b105d2a16c9e932dfaf0e76811759c3d2a10b9

SHA512
22c7171ebab5dd5deb38c30e9b162bc1ee703253c426ad3b70b0f60fbecca6dfb7d9628b09162159fb7dbaeb1999616304281aa99f855249abddacef5ae57ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
2.8MB

MD5
1940f1d27b357dc57d473ba03f063b0b

SHA1
d4058c41d3d4f2749e4192459889cb39f604aa38

SHA256
fe7b2e9168dadd661de3c0c2c1df9e09c094729886319d76c42a73219da3c4fc

SHA512
fd5b41038511d57cd5d55866a11f5a5fdb2ac87cb7eb1477bb9fdd4b1798dab23b78444d8e285e07aa4ea6d44fc5adea8b71e97401a847bc0410c3113fc92645

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
3.0MB

MD5
5b196a08d617bd68648c51d53e1f03f0

SHA1
21b5373d289e735673fd6bc93ffc6ea4d36985ec

SHA256
a81838ed2af4046465e0a6dd7c9ecd5de7366d5c52a28197f1c356ce536e64a1

SHA512
152c563bc9990a79c5bac3e6c951df7b1e8528250c0536e940a31851d7128f08a19b61817d9fb1c27771b0980df91473fa687fc411f5dc2e7e0859ecbf610910

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\python310.dll

Filesize
640KB

MD5
e58d8c34cea024ffc3a93b8ec46de42e

SHA1
e3be28bb24b15c442312b6554e5bf566b6aa9413

SHA256
b76cc84e8bc5d5681ffa443e204e5a22d1da7bdcb6258c71c65821af10b7f4d9

SHA512
388468a24d447b61a98f340e29293e5c47842493692d15b1838563a83d25ab97f9da6684fe25b5479135b51f0a42b97ef3c7b45e1aba28ea83d6adc793654cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6322\python310.dll

Filesize
2.1MB

MD5
1d83bd634914dd49363ed485c9e9b826

SHA1
ccec0b4ae03ad77b2d0b5d9f1e4ccf693c3c3c90

SHA256
aceb83d29d1270237d2f1a076fb4fef8d2f45ca07a4733253cfd0840166c6003

SHA512
efda6ec874d7d7b52ef45ac5c8abba75c3478314440a79ffd56ef76de77e9bb6e116a0ec292dfeb39485a7228510ee5cb664ee9fcdcfc45c44c8ce56fda04266

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe

Filesize
13.5MB

MD5
f0a146657f85c093eebf1a09220de5a4

SHA1
0a2d4e7528a959557337a8a4daf074b686667997

SHA256
2759e3d5a8615814bc0b81202bfc428a4afdc9a5be4cbcb3d5eeeea304c99844

SHA512
9e6f49ca4fd4cb0e0abf6fc60f355e5a5066d97dffcad8c5ff361b0921e2099921f713fec7e12576fbfa128b7c8d7b57311c1bb79c467dd38fd4f659cc6b02df

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A5B1C6\BoostTool.exe

Filesize
64KB

MD5
b4bbb77c8ad62defcccdee0bc104cd48

SHA1
8a264f795de3374df750bee280d8161e73b78bb0

SHA256
efbaac67b0c77561f0439a30d14fe4604244ece6d8590264daa28156999c6930

SHA512
57425b11f2345b2c613db4c2566f415af31688af387212f7ae7478bb7d2d88ee22b408a3388405529f5d9477a06cd41b3fccad83213776ccb50621a8e13caccb

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
2.8MB

MD5
392ec1d4c3d8ebf73b51d74da1fbc0dc

SHA1
f7b7368155470173c63beb77614e8b67b9e0f8b1

SHA256
93f7e794425303273b2d7798f21b6c80367115a6625db869d96337e063c1d6dd

SHA512
c87e6cb97eec76c0fa95f9404ecb1561a7416e9e0f973b1d1e9c781444a2b19784e600f5a8df47f4b9714169025f5f0b110e5d6f26b6d2cb004b2c5b2136b08a

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
11.4MB

MD5
c22d28887c12b7d04d413cf93928da39

SHA1
ed4bd66d0a2456c74f5ab6f3e5501244a42e2ced

SHA256
b69bb3713f8f63ed2dade9ad620e0c6aeb828ba9a9c5d4e157265a6c8ec86c71

SHA512
a04dc2712e8746c35263fba7cff7d716a3b4a04fddb993e7f80b1fbeeb6bc025e046771b0a7adcae80c6c641ef7e28d650179cd5da6af7dd0a44804dacbb7c14

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
13.6MB

MD5
65cb2d19d63e06802c29803b62e81a5e

SHA1
3564a780112c5d481cc44447ae857dac843887d4

SHA256
5033a38dfa6c7405ef0afcdc5427b11515f6e6d7bb30a2c83b15e832946d3b77

SHA512
bab1931f9afdc5c04908ce36a0559ee038fb55880d4774d7212ad98dac13494c1e7eeb6ecc0e66da4f24cd6485c00faa08a418db2c67b510e8b51c33a823e3a3

Download Submit
\Users\Admin\AppData\Local\Temp\7zO82A93BC6\BoostTool.exe

Filesize
4.8MB

MD5
e5513326ba2f687d11c19c4fb694aec8

SHA1
bca85ddc0ff92072741374957b399f3b3b0c91cb

SHA256
0f35c934664738b5adf1cb4714c9be75fd78b8746553777288095f6309a437d7

SHA512
68ccdc180827c73cd9a241095a25bb56c139cabd6f8443882d4cd40f21495c3ab5d8cdafea912d3831ead8a72a6c9c833a15126f9b0f24a163e6fd2d6e3934be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\python310.dll

Filesize
64KB

MD5
a05431ada45df31c5599c1fa44a5ad4f

SHA1
5cf04bdd947d78fe19752e827b2a2f079b62f3af

SHA256
95aa98f53d68c7fd7dc2b197cecf1a279b308679e2a3da2ef34db6860f86c42d

SHA512
4fbb1b01be91efa27cc0cc2d86a990068f9e08916e81375474a24a12c29472921d23daec527fe6d75df0aae8d86201d951d88e74d7bef0bd1b9e58364f848a06

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6322\python310.dll

Filesize
917KB

MD5
89b53078c53de8b74cf131aa881a6941

SHA1
76572097375b76df35aadb13769ac0d3a389f3b6

SHA256
994f2d7d77746527c21eb2f5825e159de43449db9851e3031ec26cd74400598b

SHA512
7f977f363c4b5e09cb15b16881470127b4ac013d007f6ed1f1252175c0e3edbae796dfd0ecfde5c3debe924dcf409fb6466c9d338fec0d556101dea7385a0bc7

Download Submit