Overview

overview

7

Static

static

3

cff85a4900...18.exe

windows7-x64

7

cff85a4900...18.exe

windows10-2004-x64

7

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

7boot.exe

windows7-x64

7

7boot.exe

windows10-2004-x64

7

RIC.exe

windows7-x64

4

RIC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7boot.exe

  • Size

    264KB

  • MD5

    b1e7a0ab4fe9186aece0cd7d0f96f569

  • SHA1

    82570041e123b1b078cf8daa6da77450ceee5978

  • SHA256

    e42ff63a5e2066de32e0f1121dc3e90b6810fa0af2aee5f760e3486375fbae55

  • SHA512

    8806ab4dcacd01d9e13af8b6eb5311dadba7d58413559eceed2d28a44c2ef10729d4d4bb39616099e0bcf2f095ef3abc19a80661363ade009315f548c6ab2ccb

  • SSDEEP

    6144:2zG8nriOnW/rGgGcHkf3LrMOdHY6C3LBo1Ov2yoLK0:O1DYrVkf3L3NY56/j

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7boot.exe
    "C:\Users\Admin\AppData\Local\Temp\7boot.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Skin Pack\Lion\unistall.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Program Files (x86)\Skin Pack\Lion\Win7BootUpdaterCmd.exe
        Win7BootUpdaterCmd /restore
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 908
          4⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Skin Pack\Lion\Win7BootUpdaterCmd.exe
    Filesize

    272KB

    MD5

    4c26092f628205e2a8302c190d5f12bc

    SHA1

    c7474941ed2a3dbb02e12040595ea9cd56145e01

    SHA256

    b3674e5f0693201bc7d55005220fe26753baf833d86e75f2363a5dbdb2480ed1

    SHA512

    e4bcf831261253140a33265c8ae51b77f9f5f6ecfa914f313824bf199e8f2131b9df7e4adf3430c0850e234d731f4774ace7b7e6c82176ce1a6e4f8fab3cb49e

    Download Submit

  • C:\Program Files (x86)\Skin Pack\Lion\unistall.cmd
    Filesize

    27B

    MD5

    b1ce10f72a52820540050951c6154f53

    SHA1

    f7230ff1efc5591b3fbb6ea121f9121a4b467db3

    SHA256

    6231cd409972524bb08297919786447d56ca6c26fcd34b82d9bc6c5018887d4f

    SHA512

    270d0d9fd15a7e6d8809c10bceefc5b0e117bf579a1944bd9a98289c480067c606c353eb17001899eb956d4dd3af175dc7bd4603c35e438fb07f96c5e4526169

    Download Submit

  • memory/1432-19-0x0000000072772000-0x0000000072773000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-20-0x0000000072770000-0x0000000072D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1432-21-0x0000000072770000-0x0000000072D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1432-22-0x0000000072770000-0x0000000072D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1432-29-0x0000000072770000-0x0000000072D21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-31-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download