Overview

overview

8

Static

static

3

e1dc058fc8...11a.7z

windows7-x64

7

e1dc058fc8...11a.7z

windows10-2004-x64

8

Resubmissions

22-03-2024 10:29

240322-mjq1lsdc6w 8

08-05-2023 11:46

230508-nxdg4sad72 7

08-05-2023 11:33

230508-nn5j8sad52 7

Analysis

  • max time kernel
    306s
  • max time network
    332s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2024 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a.7z

  • Size

    104.3MB

  • MD5

    a5ec3cc8b641474e277c8277d228c490

  • SHA1

    1b1981e09fda2880f6d2914ed8c42c6915376138

  • SHA256

    c787cef9e7216be955d5f4ff7b305f3f08d1d283ac3f09a01f821bf7b2d4a9a2

  • SHA512

    f47331c336bd51fe1594f7bcd414d19c881954205cb5e9e4c0bd964efe1be9ac5f262fb35cf77abba4ad470a2e24f9611329f4a36679d75760664e8055dd8677

  • SSDEEP

    3145728:dXmm9U2pg/nJSeKHDUc2FofSxwj3WpAerPQ1:xmGU2pgP0HDUc2PA3Ek1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a.7z"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2600
  • C:\Users\Admin\Desktop\FlixGrab.exe
    "C:\Users\Admin\Desktop\FlixGrab.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\is-F11AP.tmp\FlixGrab.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-F11AP.tmp\FlixGrab.tmp" /SL5="$40188,92329271,1199616,C:\Users\Admin\Desktop\FlixGrab.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /im FlixGrab.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /im FlixGrabMS.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://freegrabapp.com/cancelupdate/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:424
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:424 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1552
  • C:\Users\Admin\Desktop\activator.exe
    "C:\Users\Admin\Desktop\activator.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\FlixGrab.exe
    Filesize

    4.7MB

    MD5

    ee78b6f0447513cf5014528e063c75f7

    SHA1

    44951188e6f4e884fc340a49c2807a0a51d85b8d

    SHA256

    2015744a38b9e3b4d5692833ef8cf3b6deca61a5c194e9f1db18c1033355d5dd

    SHA512

    22df6b3813c382550b7a40a5701a05fba291243e5d9f2ecaed278df923634ab42cac05ebd201b805e36f8e9795a5e37cfd28d51c7e06d7677cb78a4448bd343b

    Download Submit
  • C:\Users\Admin\Desktop\FlixGrab.exe
    Filesize

    332KB

    MD5

    0c8e2462b5da287a672cb1a3ae8ee6ef

    SHA1

    cadc2f9bcf58661b6c638894dcd068a2fe22d1b1

    SHA256

    72347b1539da539dbb658e6c073594ee19fcccd61f4c2b8ac3cb8b752fcb41e3

    SHA512

    2166174be8a1fa041dc45bfead8ecfb3c1366a08625e80b610ef2dca279b3e9300154aa87b767dac70ffbd216c008e319ff0973d1cd7c786a1673b1ed54a4802

    Download Submit
  • C:\Users\Admin\Desktop\activator.exe
    Filesize

    3.4MB

    MD5

    5b82a5522a92d6c09aeab38e37c48872

    SHA1

    154e0f97b0cbac585ed0b35bf509c7f0e7324409

    SHA256

    2f0114c252fc394b57f4493a7b39bfd8b32739797912aec83965791f5514bc04

    SHA512

    549b4f44629e0db6b02559523bc71b397c650a2e08d3b21f94ca35d7c9da07068c92957d145e7550dcc01d9253b4964ea2010a2faf8bffd6b0b86413590692d5

    Download Submit
  • C:\Users\Admin\Desktop\activator.exe
    Filesize

    512KB

    MD5

    74d80d9da05a4a620460768922740a16

    SHA1

    5770c92d2cca0eb71c0810e43bd5b0c07b83ae87

    SHA256

    daf30f8d27716cd68474348e2703529e1fcd7f482133586a1f22235dcbb08486

    SHA512

    710d4e690d56874ab20183eba9c92c3823d31644ad94d068b2e1e9ebf2994e43c5d3fd69b231f198de03dfffedcdb84477ca9fe9e8f43f97a1634825652ef5c6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-F11AP.tmp\FlixGrab.tmp
    Filesize

    3.4MB

    MD5

    3eab4a4bc4b893805806c9edb6bab9f9

    SHA1

    1cfe1a478e2168150c256dce1826dd9db083f04a

    SHA256

    e332511ac0e7a35540a676567814d2c8ce47cb2e596a6af9d02fd2e01fa414bf

    SHA512

    4fe9818e5ef3852a378deae1a3c0aa1ab4bb2996e8a899883215c4f9da7a124962332dbdd02969aa5b762012916cd464335f9ac5fae1382607360ef8635a797d

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    2.1MB

    MD5

    fbfe2ed14fa5b6454ff5dcb9c0abe4ca

    SHA1

    0875b388466305bbf9a290685d889917f5f4bb2a

    SHA256

    253f54ed8670446b2f3726cafd2839bf8f2c1604e46daa407a36709c7ee9cde6

    SHA512

    4a8e6186f994800e7ce2e077f19ed0cbf9e54bd5cdb588b5ee514dfeed3e435aff6516aeff8a4c218e10040923c159a03b0a98245b7fec8103a13f2e2425068a

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    70KB

    MD5

    b3fbfeddf295e761af13aa7b951dabd0

    SHA1

    c70680a976d4940bfdb5a15028bf84e300243239

    SHA256

    56305f9aac4f28185a18e3e3b4c717d6097b70b343f32f2feaf8c33c07878c2b

    SHA512

    ee9fa2cf5e3028ded7d109a825e557c1c07daf80d3ca726fc455e993e53e2bef119b8a5bdb7f0e72122a8487255881f86e47cf09482ae39d06e52fe090d7cb32

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    146KB

    MD5

    e55e90b539d453d31752e38eca8b1609

    SHA1

    d039ea7159b1d346576f05d5d59503d75a9b23aa

    SHA256

    7a5362b55e71b6ae267902754566e2f06856b8a8da268332c33b8fab9a8eb1a9

    SHA512

    552dd0ef53a8f220e36684b32222a2e11a964be88ff7101acef1990385d59faddf4a35d77ecaac2252de7fd1cb10c2f92382f6cbbc5448a78a0669dfd255a976

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    320KB

    MD5

    8ecd26faaed674f91edd5a206ec10241

    SHA1

    1ee95d66fbf155f2613885db9cff20155c88793e

    SHA256

    70365fba012df4f63da1eb4e144feb192d1ea6b6b1e5ad2256b62c83b477899b

    SHA512

    d3319382503365060f97a3361f8b0eaf071de404238beab522b6f5b9dbc4be870fc36d5cf1e07bd5e9ccbf297b6dd393e0f2583a965cfdadf89ebcbc50fbd56f

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    83KB

    MD5

    a1bca68eafe3893db9f3abdd3d777069

    SHA1

    3c82d35161145267523170df9c2ed6371e2f4fd4

    SHA256

    ff63cf5556d7fe9a50a3941fd35fa3f63f2fd50f950941fc62a5e8e291bcb695

    SHA512

    2b5ed9dc2d0af2b025615ac1352bd437975bc2d713f0ee45583b832cb5a4296a9111393cb1d4aeedd6e40608b5116a81d73e94a3160c6ec0bdb00d4494ecb5b8

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    130KB

    MD5

    04687bc4670aeb21e28b4cf672bf8974

    SHA1

    0e4074e582f9dc25d1b19ca1fd16904f3ced9896

    SHA256

    b368d42e798067dd66524a8fcdb78e69bbe0fb03ff4d38c790a5eef45e469920

    SHA512

    e7ec1befe4cad58e28ce5813ca9878e9a6cb5b66a621ffb198ac12e22e2b0ebdd19e5b498a204ca3d85af8e558ea94ce4aa59456924b42dfdec367ce2d2f0a08

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    10KB

    MD5

    63d3918da361b8cda2a84ae622e9d3d5

    SHA1

    83e1552205bc18ad20911716e5e1203730a8fc07

    SHA256

    ef18825df66601e8fff50b2d2c07524089f3335170c738d46a7fc3186b3c7072

    SHA512

    131f59da9fddfbd559f037a000c60b88a0faa2c14f6fef6fb61d58e7207fa186108ddaaea798bd742f1159d1d252b69ac0bbe6f55633094de09e133af3b7c77a

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    3.8MB

    MD5

    18f9d73fa5c31f20a8d0a540e744c922

    SHA1

    0d5c81b358bcd1fba51ad9f4df593620a32ae88e

    SHA256

    e4ce5f106cb3ffd5c922da02b5419691c8983d12a3967951d831e12822322d3f

    SHA512

    df7bb845cd4802cc01f67ed4452a9e149d8650f0f8c36fc5a66040e2443be727f72160f934ffb8f7a2a610660be14e699fcba786bf92aa9c694126e305c9690d

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    5.4MB

    MD5

    d9987ab259adb015e383cbf4b3423a75

    SHA1

    eb061b773f4285f28732079d0142ef4028af67db

    SHA256

    bbdf1cd25b3d31f6d9fb465866cbc19018a2d8d37bab1de2a73180da0c49e48b

    SHA512

    9fadfe2f88145871f88d2f4cd0fdd10964cc6e3a11b0d04523b94a70852d208d0b7d8f2db29e19ae538bc63deb442c21e8909f49c90952bf30ebdec69eda8e50

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    4.1MB

    MD5

    7c5bdb751e0574a3bd67a35f1f11518e

    SHA1

    a24cf5896d99f0b48295671f9c4144955ba37705

    SHA256

    e72f2efd37708f961be01284b3bfda3fadb46c7e16c97c082af1a5024c9f6217

    SHA512

    ee2262520709b10b33f10481d915b2dc801a39ee3c34eb1690642a7b2d9de272e065ff30e775b3aecf2e6091cadf325d012818bbe1c6e67205ccc4452be1130d

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    4.6MB

    MD5

    bc38be478ebb1f7028fc3bf2378f9871

    SHA1

    1180f443b0924e48d927efa7a2ecf9f48b74683d

    SHA256

    5622c97fc8cfeb6e7456c26d718c58123d225721e234c80872b30394cd5f19cc

    SHA512

    f16d135329e4846315bca2ff27fd55e9427a509facfa0c482f9964e8a0ee73da569dd284a09f70ef546fdf14c0a1a96ce9a6ec2a4064e7e88156e6e1b703abaf

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    2.7MB

    MD5

    d1df3bccdaf2905423bcd127e68d5b85

    SHA1

    a6faf73a516e28e7343d036aaa81d0f78cc20470

    SHA256

    c28731ee58b0a7e3a9b7260c14a3f08e4827d4348f66273b8414b17f5b1bab17

    SHA512

    e4e9771423dba38acf1b494ab4f11cfccde3c447533fcf1b37a8b448666de557ab5eab2c5e79388f112cfa4f398def56dfab8695667447177fc0f1f461b2829c

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    1.7MB

    MD5

    44ef911a979551349dc4eb5accc8c7e3

    SHA1

    1e67259b1194e878549c0b9c479f5392346657a4

    SHA256

    ad26b298e011f8422e2fc6d05649990fdac8a2bd48b0f5bc8d7bb2fcc3987b0d

    SHA512

    e08d0a695439c9483dec35ee63d23c4ad06c9fc3d871c2741cb962d845b33e72c4bc81e5c5326f3b2b235c0df014fac0bb34d02c9ff4ca9ec15573e1f0904dbb

    Download Submit
  • \Users\Admin\Desktop\activator.exe
    Filesize

    1.6MB

    MD5

    e28c4d09e543906a8559bdbc83416928

    SHA1

    7b4813721643017c77da9f8c079370bd117e0bfa

    SHA256

    9daa0827c0dc9774c85eefc2708eee52642d7dcc4c3d3f2a9d155e6d827d6799

    SHA512

    cdcb4ef0b0e145d362f895890e11e37be286acd52caec99008b56989330191a9d0682e7b02711796e4310352be22437dc2f16f2cc616f7abdb956602dcae0e48

    Download Submit
  • memory/1476-47-0x0000000000400000-0x0000000000532000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1476-36-0x0000000000400000-0x0000000000532000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1792-48-0x0000000000400000-0x000000000076C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1792-44-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1792-49-0x0000000000400000-0x000000000076C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/2780-174-0x000000013FB30000-0x00000001416E0000-memory.dmp
    Filesize

    27.7MB

    Download
  • memory/2780-176-0x000000013FB30000-0x00000001416E0000-memory.dmp
    Filesize

    27.7MB

    Download