Overview

overview

10

Static

static

1

file_x64x86.rar

windows10-1703-x64

file_x64x86.rar

windows10-2004-x64

8

file_x64x86.rar

windows11-21h2-x64

4

Analysis

  • max time kernel
    1669s
  • max time network
    1668s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-03-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_x64x86.rar

  • Size

    10.5MB

  • MD5

    c0e2e876025cff704f44762e4eef46df

  • SHA1

    53cfde674e868429276dca6c9c4e783ff98b9a8f

  • SHA256

    ce143c9fbf5934660cd61c63796aa00759b07ea5d65b66cd2c05e85239781ad8

  • SHA512

    3c1a3ff3c74b16e1e2c3199f27770ec11fb92d7c2718ee2b0cccbb2c03e8017f3b41ca1d3c08ce03c0e5b594a361de920f7ab08d5722e07e8555c2908c76a694

  • SSDEEP

    196608:XSbIWDiYJg1Z3mG//s6tgqRHqCo7eE8Aj5hjeeEit7w8AmxaPcaY9fTE:WTiYe1Z3ms06tg8H5OC8Gp/Y54

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\file_x64x86.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_x64x86.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3296
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4272
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:3676
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:4476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
        1⤵
          PID:2336
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
          1⤵
            PID:1608
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-3-14.140.4476.1.odl
            Filesize

            706B

            MD5

            24d31f81c5945c384407b19f637fe696

            SHA1

            303ee69f18593c5eb3fc079392238e8cb337a252

            SHA256

            cdee7b19d72c6c610238ada444acf1adf40d7b10a2aed243b833540a757e2734

            SHA512

            8a2b81b1e18ed1100e207ac7d610dd64cfa927cc824328a67314dc2567debda3ba2f06348e46afbb68421ca5b56083de9c3f986e39d1dc99276721ae65c822b2

            Download Submit