78dea6ce89d0ef782aaeddc45abbf492f6b272e8804d9f1528e3fea7aa81b6c6

Resubmissions

26/07/2024, 17:17

240726-vt4y8ascmp 7

Analysis

max time kernel
91s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 17:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Patch JB 2023.x.x.exe
Size

9.8MB
MD5

2225a9180e142415ae27486fc2631809
SHA1

e55621177d23583d5cfb1d0a012c06e73a7c1331
SHA256

78dea6ce89d0ef782aaeddc45abbf492f6b272e8804d9f1528e3fea7aa81b6c6
SHA512

4501aa9878f88ad2665f272c63b46781fc8e6ee64f6406aceeb309399dcbce9aafdf724d6c6d3a9b4c0a6ead89ee49aa148cae710b2c68815ba07e6a1bc72251
SSDEEP

196608:zfYJw5b8ev5zAp9uwi//sSsTUTIZjnX3uAx3N3rgiq3VzO6s3rr7jC:zwJXnp9ul/0UMRnu+3OFFzO13rrfC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	7z2201.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3612	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\en.ttt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\he.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ast.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.dll	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ka.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.dll	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ru.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ru.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spc.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tg.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\et.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2201.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: 36	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: 36	2704	WMIC.exe
Token: SeDebugPrivilege	3612	tasklist.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 896	344	Patch JB 2023.x.x.exe	84
PID 344 wrote to memory of 896	344	Patch JB 2023.x.x.exe	84
PID 896 wrote to memory of 1264	896	cmd.exe	86
PID 896 wrote to memory of 1264	896	cmd.exe	86
PID 896 wrote to memory of 1264	896	cmd.exe	86
PID 896 wrote to memory of 4080	896	cmd.exe	95
PID 896 wrote to memory of 4080	896	cmd.exe	95
PID 896 wrote to memory of 5092	896	cmd.exe	96
PID 896 wrote to memory of 5092	896	cmd.exe	96
PID 896 wrote to memory of 2992	896	cmd.exe	97
PID 896 wrote to memory of 2992	896	cmd.exe	97
PID 2992 wrote to memory of 2704	2992	cmd.exe	98
PID 2992 wrote to memory of 2704	2992	cmd.exe	98
PID 896 wrote to memory of 3656	896	cmd.exe	99
PID 896 wrote to memory of 3656	896	cmd.exe	99
PID 3656 wrote to memory of 3612	3656	cmd.exe	100
PID 3656 wrote to memory of 3612	3656	cmd.exe	100
PID 896 wrote to memory of 1812	896	cmd.exe	101
PID 896 wrote to memory of 1812	896	cmd.exe	101
PID 896 wrote to memory of 3644	896	cmd.exe	102
PID 896 wrote to memory of 3644	896	cmd.exe	102
PID 896 wrote to memory of 3620	896	cmd.exe	103
PID 896 wrote to memory of 3620	896	cmd.exe	103
PID 3620 wrote to memory of 4188	3620	cmd.exe	104
PID 3620 wrote to memory of 4188	3620	cmd.exe	104
PID 896 wrote to memory of 2648	896	cmd.exe	105
PID 896 wrote to memory of 2648	896	cmd.exe	105
PID 2648 wrote to memory of 1036	2648	cmd.exe	106
PID 2648 wrote to memory of 1036	2648	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Patch JB 2023.x.x.exe
"C:\Users\Admin\AppData\Local\Temp\Patch JB 2023.x.x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8J6QSJ57.bat" "C:\Users\Admin\AppData\Local\Temp\Patch JB 2023.x.x.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Program successfully licensed! "
    3⤵
    PID:4080
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3612
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:1812
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8J6QSJ57.bat

Filesize
52KB

MD5
dc730f24799df72d573c61fbe2cfe19f

SHA1
ed32a6451d826210590cd935c059db207d2c89ae

SHA256
3ad7d102e167a040188c725dfcb789e31e11d11acfd6f395246275744497e320

SHA512
7c880e148507b83bba6f4d2fcd787715e20ce36f974c1f02a2725a7e411df0b541b38dce9c19ae9837bfebb3f28f0a533efac4eb5604dfa3ebb3ecc910db6cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\cnf

Filesize
50B

MD5
35e1bb2031151679c925845801adefbe

SHA1
c07e1003257cf02ca7b672ac0db075489531729c

SHA256
5f62ef0df8a6b126356145b88954c150e2d56c4ee2312de011a36949719a9849

SHA512
630f69f51b09f1b33adb88154c5da63f7d4b7f3f7b714a4adac23b0db3e8d66bb4ba1df68b6324ccc8b9498275fe224155d77a9c5e85a7a4c2ae5b33f013d4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\jb.7z

Filesize
67KB

MD5
3056453b2ea9a7987180a0f7c6e0601d

SHA1
069178ea6b242cd326a2ca2b983816c412ea9307

SHA256
b572e1b4af12863e3444049875bc5fdfcf5b126f29938d4d1a46d3a473554c49

SHA512
8f86ec1ac4f6190c057816914648a448531f402a7b91dc956ec975a951bc95e52f3228984a5d3b1f609924f40fabe8d8f55f4ecf58db44f0ef94f42e95b0b425

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\jbk.7z

Filesize
7KB

MD5
e4e67d6f10c69cb29c4815a2ecda209f

SHA1
92eef38f4e992bc00df9d15ad13b244e8c0c407e

SHA256
52b7e3123089a575490bbd81342a10ad6aba22fc54c2a7d5e6d1fc421e99f60d

SHA512
92f08578a0998370f974ee90925f4f943eb7c039cf4d9ee7c9474a52ee9b1deebd3a8c792de1228f667b0b0cb13871dcfe19a81fa227e60d6efff788330a2d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE577D3E.4D\jbl.7z

Filesize
8.0MB

MD5
65a51eeedd7c1924e035b74347b4e484

SHA1
3a5afa74bd5eaddb19e6b48b892a91f2fd7665ea

SHA256
f5e5de757f9009921df4d15f692ce4331787c276e48999fa09d367829621e43e

SHA512
ad41cf2c8a06efb858826191bf8e4ae66d6ea67d7ba7ebeba9f3db13d2999127692640a94357b5a1bc35814e107d306c4d73752d2a999a447fa15455304eef21

Download Submit
memory/344-234-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads