Analysis
-
max time kernel
129s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
cmlauncher.zip
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cmlauncher.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Instructions.txt
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Instructions.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
installer.rar
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
installer.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
winrar-x64.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
winrar-x64.exe
Resource
win10v2004-20240508-en
General
-
Target
installer.rar
-
Size
2.2MB
-
MD5
932e1521933cb130a32417ebefcd7f65
-
SHA1
6498a4ef4a5aa03a4a244a4e1786f89fcc135a18
-
SHA256
fc9b9cc6bc5073977a2b4f50f6e0c7583106019a8e642514aa9dc11666013366
-
SHA512
2d56ea1b910972957fe0aa0e0457f7328392b723c88f36af873278383fa19d1c802a07bc42ab5d642cfbb257886c29df271c15980ea2c077fbf27bb3e9c49a73
-
SSDEEP
49152:WkiX7fzXIPeyum2UJCUle2JtQn7X/CI8pycA9QU3aB/F6UIS:IbzXenum2GtQL/zeyTo96TS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zFM.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 2612 7zFM.exe Token: 35 2612 7zFM.exe Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 2612 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1032 wrote to memory of 2612 1032 cmd.exe 7zFM.exe PID 1032 wrote to memory of 2612 1032 cmd.exe 7zFM.exe PID 1032 wrote to memory of 2612 1032 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\installer.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\installer.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2612
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1732
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176