Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 17:48
Static task
static1
Behavioral task
behavioral1
Sample
Bypass.rar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Bypass.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Bypass/Cracked.reg
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Bypass/Cracked.reg
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Bypass/d3d9.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Bypass/d3d9.dll
Resource
win10v2004-20240611-en
General
-
Target
Bypass.rar
-
Size
49KB
-
MD5
e4295d4405b95fa6d5a665215c95b607
-
SHA1
e89677a8c60b1f16378ba743b7fd84871f2d7b35
-
SHA256
47ba76e3e00909927f27dfc2b85ee8824ebb5f5c0cb4dd26693bb7a1afb67410
-
SHA512
b8782bba1fca2f3622d031a44f4febc48d4189cd40f15b79b5a8ae4621a072e481219038d65207b81f544944c7ff0b14da81ae248b52c70d47d367d32cb4ff7e
-
SSDEEP
1536:rtRzjkkCV615eeztX25b789sRKfTiPCnUX5wxIxKB+XzUd9:5RfkkCgvYF7/RKrUCnUJiYKB+wd9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 2496 regedit.exe 2168 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe 2592 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2592 7zFM.exe Token: 35 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
7zFM.exepid process 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe 2592 7zFM.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exe7zFM.exedescription pid process target process PID 1248 wrote to memory of 2592 1248 cmd.exe 7zFM.exe PID 1248 wrote to memory of 2592 1248 cmd.exe 7zFM.exe PID 1248 wrote to memory of 2592 1248 cmd.exe 7zFM.exe PID 2592 wrote to memory of 2496 2592 7zFM.exe regedit.exe PID 2592 wrote to memory of 2496 2592 7zFM.exe regedit.exe PID 2592 wrote to memory of 2496 2592 7zFM.exe regedit.exe PID 2592 wrote to memory of 2168 2592 7zFM.exe regedit.exe PID 2592 wrote to memory of 2168 2592 7zFM.exe regedit.exe PID 2592 wrote to memory of 2168 2592 7zFM.exe regedit.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Bypass.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bypass.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\7zO02A3A6E6\Cracked.reg"3⤵
- Runs .reg file with regedit
PID:2496 -
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\7zO02A5CDA7\Cracked.reg"3⤵
- Runs .reg file with regedit
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD5a95106d7c9fc3fb18a2fbe1885de09dd
SHA13debdeee76208de099b80eff33949371f02bf575
SHA25661df13bae98f10c330a751875146dd81bca223036d6470ebb9fffdc0b47f0fe2
SHA512d81d70466f4ff81111d2a9d0a63cc7371d75568b1a1c5fe0aef638742cef30c92cddc20b22683d3fb32331d328dba57005a3698569e9edb10d1fc63ff29718b2