Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.NO. S70-23Q-1474-CS-P.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RFQ.NO. S70-23Q-1474-CS-P.rar
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
RFQ.NO. S70-23Q-1474-CS-P.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
RFQ.NO. S70-23Q-1474-CS-P.vbs
Resource
win10v2004-20240412-en
General
-
Target
RFQ.NO. S70-23Q-1474-CS-P.rar
-
Size
42KB
-
MD5
0bd3d2e19b1833f1f6e47ed1b280018e
-
SHA1
97c097ce7c7f9e0ff21f3c2473be4f62c1469697
-
SHA256
268e4479aea3fffb3510526ae4fc2413ae7444d24604e90a33bc718fb11e5027
-
SHA512
6f11cbfaa2905dcb49f55361bf80179a9e1b295b2eda3c41290696c52a6f352e0c2635818d549c52637d221d229ebdeec2a1d9163320fc5640b5ed3e35070a8f
-
SSDEEP
768:La5MtHHJjzte49JZvrkudqaki7XyrWCWvcN59xwYy6:LLtFzMaZv5QOrZCdPwYB
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2540 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2540 7zFM.exe Token: 35 2540 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 2540 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1208 wrote to memory of 2540 1208 cmd.exe 7zFM.exe PID 1208 wrote to memory of 2540 1208 cmd.exe 7zFM.exe PID 1208 wrote to memory of 2540 1208 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow