Analysis
-
max time kernel
1794s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:06
Static task
static1
Behavioral task
behavioral1
Sample
7tt_setup.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
7+ Taskbar Tweaker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
bin/64/inject.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
inject.dll
Resource
win10v2004-20240426-en
General
-
Target
7+ Taskbar Tweaker.exe
-
Size
482KB
-
MD5
6da96b41736b77d8522d63a412ee5162
-
SHA1
54f2c9c1a3526d451796682a8271c51ecccb83f2
-
SHA256
fcdc7f3c907e111e50d9a82e76c4a142875a7e7a1c3b1d74fd9bf5a30e44d417
-
SHA512
6dcc3c85b6c41d985c9b0b1b21a8a77b17d75a1c28b4f0f1d43e4b975572f6d9fb8b91358911e4887f4d29378664002ed0b004bc399330115fc90ed99f4f8464
-
SSDEEP
6144:rI5iCHDGIZU3H3SQg39Tlg1ASntD0oqYSGmOCQXl3zVGHttt1:U5iCHPZU3XSQg39+1/aYSGjCcKNb1
Malware Config
Signatures
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 608 7+ Taskbar Tweaker.exe 608 7+ Taskbar Tweaker.exe 608 7+ Taskbar Tweaker.exe 3524 Explorer.EXE 3524 Explorer.EXE 608 7+ Taskbar Tweaker.exe 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 608 7+ Taskbar Tweaker.exe 608 7+ Taskbar Tweaker.exe 3524 Explorer.EXE 608 7+ Taskbar Tweaker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 608 wrote to memory of 3524 608 7+ Taskbar Tweaker.exe 56 PID 608 wrote to memory of 3524 608 7+ Taskbar Tweaker.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\7+ Taskbar Tweaker.exe"C:\Users\Admin\AppData\Local\Temp\7+ Taskbar Tweaker.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:81⤵PID:5072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:81⤵PID:3152