6feaf0b5d0a265687c41284286c03b9160833880b77eda231513b3d36b2ab73d

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MKL_fishingSwitchCity_V3.0.rar
Size

109.9MB
MD5

a81b6c52892841fda028b7b76bda7b21
SHA1

03d9dc7175fbadd96748fe3b8dc1316c7abec426
SHA256

6feaf0b5d0a265687c41284286c03b9160833880b77eda231513b3d36b2ab73d
SHA512

7633d334cef8ad254fbf8166ea7722415c7878d1bda23e12bb7d3f0446b7548a1c6f0d07ae7f31347ff9044ce11c88aa8983136eada2d1d0529a27d29a734076
SSDEEP

3145728:r0K8Dhq59dzN3X8iBE23xoi/mtLEGOuyqNM6C:YKskDzlM2HxoiutLE/uM6C

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

7zFM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico 7zFM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2500 7zFM.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2500 7zFM.exe
Token: 35 2500 7zFM.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zFM.exe

pid process

2500 7zFM.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	7zFM.exe

pid	process
2500	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2500	7zFM.exe
Token: 35	2500	7zFM.exe

pid	process
2500	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 2500	2784	cmd.exe	7zFM.exe
PID 2784 wrote to memory of 2500	2784	cmd.exe	7zFM.exe
PID 2784 wrote to memory of 2500	2784	cmd.exe	7zFM.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MKL_fishingSwitchCity_V3.0.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MKL_fishingSwitchCity_V3.0.rar"
2⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads