7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Size

1.9MB
MD5

3d4f9458125b95f8b58dd0b88e7915d7
SHA1

f1a1df18357053ffd8317dfc55506b43caa47daa
SHA256

7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af
SHA512

feab5b7b668592efa4932c90c81425ac2ac6c40b14fdee500e2bb8ab29930854bd01a7225e9754560d92bb08d4a090be925ac4a5802c08b509a9f22058d89ed2
SSDEEP

49152:Hi39+084E6W4W8Vm/BL49aXZmMAdlR+WOK+hcY2q0e8:6+HVb4W8QR49unORImv

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zzLWYFQHYgEmUXMATrA\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\zzLWYFQHYgEmUXMATrA"	load.exe

Executes dropped EXE 2 IoCs

pid	Process
2416	sg.tmp
2252	load.exe

Loads dropped DLL 6 IoCs

pid	Process
2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
2740	cmd.exe
2252	load.exe
2252	load.exe
2252	load.exe
2252	load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2252	load.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeBackupPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeRestorePrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: 33	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: 33	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: 33	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeRestorePrivilege	2416	sg.tmp
Token: 35	2416	sg.tmp
Token: SeSecurityPrivilege	2416	sg.tmp
Token: SeSecurityPrivilege	2416	sg.tmp
Token: 33	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeLoadDriverPrivilege	2252	load.exe
Token: SeDebugPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: 33	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeBackupPrivilege	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeRestorePrivilege	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: 33	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
Token: SeIncBasePriorityPrivilege	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2528	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	30
PID 2384 wrote to memory of 2528	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	30
PID 2384 wrote to memory of 2528	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	30
PID 2384 wrote to memory of 2528	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	30
PID 2384 wrote to memory of 2416	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	32
PID 2384 wrote to memory of 2416	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	32
PID 2384 wrote to memory of 2416	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	32
PID 2384 wrote to memory of 2416	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	32
PID 2384 wrote to memory of 2740	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	34
PID 2384 wrote to memory of 2740	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	34
PID 2384 wrote to memory of 2740	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	34
PID 2384 wrote to memory of 2740	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	34
PID 2740 wrote to memory of 2252	2740	cmd.exe	36
PID 2740 wrote to memory of 2252	2740	cmd.exe	36
PID 2740 wrote to memory of 2252	2740	cmd.exe	36
PID 2384 wrote to memory of 2688	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	37
PID 2384 wrote to memory of 2688	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	37
PID 2384 wrote to memory of 2688	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	37
PID 2384 wrote to memory of 2688	2384	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	37
PID 2688 wrote to memory of 2676	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	38
PID 2688 wrote to memory of 2676	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	38
PID 2688 wrote to memory of 2676	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	38
PID 2688 wrote to memory of 2676	2688	7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe	38

C:\Users\Admin\AppData\Local\Temp\7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
"C:\Users\Admin\AppData\Local\Temp\7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\~3798946134814634044~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1747239427400622307"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\~1747239427400622307\11.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\~1747239427400622307\load.exe
    load.exe WIN950.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\7ab3d03e3b85e93b6867e3dfbf29a2b00b10b41718a1628b5ebeb3de2acdb9af.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~2524794190465434556.cmd"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~2524794190465434556.cmd"
    3⤵
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1747239427400622307\11.bat

Filesize
48B

MD5
c44c912ce8cb08c448cbd3fa8d84ecf0

SHA1
3bb4177aa12186056b1d4760d4046f77698edf17

SHA256
d901413a2f4597832523af5f968b9b72bc003ecca4540206446467083adde38a

SHA512
2ea057f2217dec4a04cc6d7e843662200f790919bf29281b274e90d5b888b1cb62778d56abadf996ee43fcb0405bb4d446505122aafbbe5dede7915d431bb0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1747239427400622307\WIN950.sys

Filesize
17KB

MD5
6fb4ecd1afa698e1cd1f5680116f7aa7

SHA1
68eae39e8ea56a5e1d9657d7ac2a8be742dc5bc4

SHA256
e1894b77d61abaf68e36c7dfee1d7662f43576ee498b6133aa9713f9dcdeab8e

SHA512
b870c2e883df77a712d73668e8a0ec181c41f7d10bdd78bd25c616fddb024c6fa65edefdab334c95eb750f3f7d39a4ace144d660e934ea2d2f1ccc107b8be184

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1747239427400622307\load.exe

Filesize
556KB

MD5
d5457ab33b79357d0c0acaa17119a44d

SHA1
572d3003af20308bf13bcddbbe4d85c9dbc6de35

SHA256
3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb

SHA512
90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2524794190465434556.cmd

Filesize
373B

MD5
40f2943469a5bcbcd9f56bf68f755372

SHA1
6bc198308aec16777d135be8889c87f9e3b20916

SHA256
2e92e1f991fabc58e443a92173e34902e17354fce95a931ef0f215cfa3466ae9

SHA512
05fd715f4f4599f8900fc54f6fca019b542cc854874d5fa36ab7f5329b988496789a97d5158fbd50a27bda8993a72e37690a0db2fdf4801e1f08f6cf08a1312a

Download Submit
\Users\Admin\AppData\Local\Temp\~1747239427400622307\msvcp140d.dll

Filesize
977KB

MD5
37dc8cc78ecbcd12f27e665b70baefa7

SHA1
46fb9910cc10c4c0c52b547700e1950ce233be89

SHA256
b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c

SHA512
078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1

Download Submit
\Users\Admin\AppData\Local\Temp\~1747239427400622307\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
\Users\Admin\AppData\Local\Temp\~1747239427400622307\vcruntime140_1d.dll

Filesize
58KB

MD5
868fd5f1ab2d50204c6b046fe172d4b8

SHA1
f2b43652ef62cba5f6f04f32f16b6b89819bc978

SHA256
104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e

SHA512
402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d

Download Submit
\Users\Admin\AppData\Local\Temp\~1747239427400622307\vcruntime140d.dll

Filesize
128KB

MD5
f57fb935a9a76e151229f547c2204bba

SHA1
4021b804469816c3136b40c4ceb44c8d60ed15f5

SHA256
a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0

SHA512
cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed

Download Submit
\Users\Admin\AppData\Local\Temp\~3798946134814634044~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2252-29-0x000000013FE20000-0x000000013FEDC000-memory.dmp

Filesize
752KB

Download
memory/2252-39-0x000000013FE20000-0x000000013FEDC000-memory.dmp

Filesize
752KB

Download
memory/2740-28-0x000000013FE20000-0x000000013FEDC000-memory.dmp

Filesize
752KB

Download