Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
OwnCheat.rar
Resource
win7-20240221-en
General
-
Target
OwnCheat.rar
-
Size
170.3MB
-
MD5
3ec0351d0e376c32313da6d78df0c69b
-
SHA1
e9ba4328f5db2af7335b309fd610237481604451
-
SHA256
ddfbd3bdb5abf02dc0f519de669b56b27dd866b2e93193e4958a8b0825bf019c
-
SHA512
9215826453c6643308f141e0a49e4c5c742510cf0d96b6da51f95016fccbab353e19fefa634c73f95944b801eecbde684acf9c8d9422944d9982f64c22dde12e
-
SSDEEP
3145728:0YqAq7qufqcWFu3dprtg46lsl/K3Ov7akh8xpQhOfEKN3gaq1ggTEM8aGp:0YlSquNWFuN3ysNK8GkVhObN3p6BA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2708 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2708 7zFM.exe Token: 35 2708 7zFM.exe Token: SeSecurityPrivilege 2708 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe 1924 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2708 2632 cmd.exe 29 PID 2632 wrote to memory of 2708 2632 cmd.exe 29 PID 2632 wrote to memory of 2708 2632 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2708
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1932
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" pnidui.dll,NwCategoryWiz {cfb57058-c07b-4cff-a322-7cc127fbf1cd} 01⤵
- Suspicious use of FindShellTrayWindow
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21.5MB
MD5dada5d3d71d97009275fe266381bd52b
SHA1be421b5c86767be813811869acf569a1ad1dbf3d
SHA25663c3d033bfd95795a555e1ad0b9233c1547cfd7682cca803b31c2a985615d91b
SHA51299d5fb30378029dac8980a902848bbbd0f638b0a5bf058537aa27a21a64dafa9c39674273af4a0d15793065c543d358f1a75559ab9c354d9f7754ca03fde4c51
-
C:\Users\Admin\AppData\Local\Temp\7zE49A64C16\OwnCheat\Addons\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37