Overview

overview

10

Static

static

3

MF.rar

windows7-x64

7

MF.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    242s
  • max time network
    306s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MF.rar

  • Size

    2.1MB

  • MD5

    eed0d2091538ec14cf4ab86b27a896de

  • SHA1

    5a9675ab6414bd8fa80ebb32d341059c4ee96513

  • SHA256

    1760d602c9fc8043652f0d965c8b4f8e9810c21b9e3d85b38e5094d5d6a2843e

  • SHA512

    fd853c4185100a2dd4c59238308385622aeb61d422c484989b857b6dafcbd723a761c1dde77903360f998523861120ed7248db549b58f376867cf1ffe94d4951

  • SSDEEP

    49152:HtGkOOocZy+ymNHJ24Naai+DUqJ4RjZpdrDiBf61ieean7n:NGkOOocZy+ymhNaaCY4rphGBfaBn

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\MF.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MF.rar
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MF.rar
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\MF.rar"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1428
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:288
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MF\" -spe -an -ai#7zMap11014:84:7zEvent12776
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2576
    • C:\ProgramData\Microsoft\MF\thelper.exe
      "C:\ProgramData\Microsoft\MF\thelper.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\thelper.exe
        "C:\Users\Admin\AppData\Local\thelper.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\MF\Mi.jpg
      Filesize

      214KB

      MD5

      5d2ea1b6fd1cc5d08e455e7ad51e0f4c

      SHA1

      1b0bd077db590bcdcd5226208b02cb5a63f8c646

      SHA256

      9fb667f6f3fa36e5c06795e09996f3c4e2a531bf722a02e999b0862d512893a9

      SHA512

      f37b46ffa4fd75bd74a71221440fa373657fec6f943812e7f56304de5f57ad4ddf9465de9b39f338af2978c7105ca6af973556b772ffa86ca49c418861c5f3ae

      Download Submit

    • C:\ProgramData\Microsoft\MF\XLUE.dll
      Filesize

      2.4MB

      MD5

      0abbe96e1f7a254e23a80f06a1018c69

      SHA1

      0b83322fd5e18c9da8c013a0ed952cffa34381ae

      SHA256

      10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

      SHA512

      2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

      Download Submit

    • C:\ProgramData\Microsoft\MF\ic.dll
      Filesize

      1.6MB

      MD5

      6a718dd2abeb2eed131f1cc806ac5779

      SHA1

      c33f8b477b44030efd9687e4da3fa6865a2d9ec9

      SHA256

      43d45a8a3a80192738b62071dcb5f8d4a8bccbe5291fff4885ef0905ca6184c6

      SHA512

      c0967fb8e40f737eb282c1ffef05f30e61b7ff7c889d43da85fb2ddd123d3f69daeabe5ea5609d5f87b1c84b27bcb3b3e11290bae5643c2dfe8c296d2e18fa6c

      Download Submit

    • C:\ProgramData\Microsoft\MF\thelper.exe
      Filesize

      225KB

      MD5

      8a8f890b8858b103c8b212f23530e57a

      SHA1

      bda99503cb1d61774f6bac690d0cd2f55987c3f1

      SHA256

      cace00054b96a7d71f42f4d838e4288b0e2872de541669114df5d79d72f67d40

      SHA512

      6b50e5c792693d85796f9338f4a35c14ea9df2fe24b20662a664a146867708000afc39ac1cf47dbb66b4ba325bbf03fae6d4e03d9c28613402469d189e7b871d

      Download Submit

    • \ProgramData\Microsoft\MF\XLFSIO.dll
      Filesize

      900KB

      MD5

      0f1dec57c5b19ce955213acdb4b8a806

      SHA1

      10fc8761f5a4b0eb03b7c71f65cddf4cad43bd18

      SHA256

      034f10e6615ad547e54a66d2096831934ff30e72293553c4f432fb8f2f06160f

      SHA512

      92aeadd53e682bfe35b849e751fb8eed98af643040e4da3e1bf24817ad1c540834607470a29e750e0e73525fb154f155c76a04c8435b79dcdbc1ea7464eddd5f

      Download Submit

    • \ProgramData\Microsoft\MF\XLFSIO2.dll
      Filesize

      209KB

      MD5

      1bc7af7a8512cf79d4f0efc5cb138ce3

      SHA1

      68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

      SHA256

      ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

      SHA512

      84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

      Download Submit

    • \ProgramData\Microsoft\MF\XLGraphic.dll
      Filesize

      730KB

      MD5

      74c75ae5b97ad708dbe6f69d3a602430

      SHA1

      a02764d99b44ce4b1d199ef0f8ce73431d094a6a

      SHA256

      89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

      SHA512

      52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

      Download Submit

    • \ProgramData\Microsoft\MF\XLLuaRuntime.dll
      Filesize

      249KB

      MD5

      5362cb2efe55c6d6e9b51849ec0706b2

      SHA1

      d91acbe95dedc3bcac7ec0051c04ddddd5652778

      SHA256

      1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

      SHA512

      dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

      Download Submit

    • \ProgramData\Microsoft\MF\libexpat.dll
      Filesize

      668KB

      MD5

      5ff790879aab8078884eaac71affeb4a

      SHA1

      59352663fdcf24bb01c1f219410e49c15b51d5c5

      SHA256

      cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

      SHA512

      34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

      Download Submit

    • \ProgramData\Microsoft\MF\libpng13.dll
      Filesize

      157KB

      MD5

      bb1922dfbdd99e0b89bec66c30c31b73

      SHA1

      f7a561619c101ba9b335c0b3d318f965b8fc1dfb

      SHA256

      76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

      SHA512

      3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

      Download Submit

    • \ProgramData\Microsoft\MF\mt.dll
      Filesize

      239KB

      MD5

      2e3ea2f95bfec380e7e79be332fd2012

      SHA1

      ff5d3be9b93e29342a27db14a69708ab6ad7807e

      SHA256

      b38def2980035b94f706a53b27ae7f9d31c41831b46fb70712b10a73b5068095

      SHA512

      91d79bf7c163769bd24ecc6c3b24c642a8a72d90b059297958ac01e7a8baa270954f501c25458a3df5f27fee24510d903a9a1f4b5f664f5f4152385b7f8a0906

      Download Submit

    • \ProgramData\Microsoft\MF\zlib1.dll
      Filesize

      62KB

      MD5

      37163aacc5534fbab012fb505be8d647

      SHA1

      73de6343e52180a24c74f4629e38a62ed8ad5f81

      SHA256

      0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

      SHA512

      c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

      Download Submit

    • memory/1428-36-0x000007FEF74F0000-0x000007FEF7531000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1428-57-0x000007FEF4150000-0x000007FEF4163000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1428-39-0x000007FEF6720000-0x000007FEF6731000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-40-0x000007FEF6700000-0x000007FEF6711000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-41-0x000007FEF66E0000-0x000007FEF66F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-42-0x000007FEF66C0000-0x000007FEF66DB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1428-44-0x000007FEF5E40000-0x000007FEF5E58000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1428-43-0x000007FEF66A0000-0x000007FEF66B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-46-0x000007FEF4340000-0x000007FEF43A7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1428-45-0x000007FEF5E10000-0x000007FEF5E40000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1428-48-0x000007FEF5DF0000-0x000007FEF5E01000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-49-0x000007FEF4260000-0x000007FEF42B7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1428-35-0x000007FEF4820000-0x000007FEF58D0000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/1428-47-0x000007FEF42C0000-0x000007FEF433C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1428-50-0x000007FEF5DC0000-0x000007FEF5DE8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1428-51-0x000007FEF4230000-0x000007FEF4254000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1428-52-0x000007FEF4210000-0x000007FEF4228000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1428-53-0x000007FEF41E0000-0x000007FEF4203000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1428-54-0x000007FEF41C0000-0x000007FEF41D1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-55-0x000007FEF41A0000-0x000007FEF41B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1428-56-0x000007FEF4170000-0x000007FEF4191000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1428-24-0x000000013FEC0000-0x000000013FFB8000-memory.dmp

      Filesize

      992KB

      Download

    • memory/1428-37-0x000007FEFADB0000-0x000007FEFADD1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1428-38-0x000007FEFB0A0000-0x000007FEFB0B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1428-34-0x000007FEF6260000-0x000007FEF646B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1428-33-0x000007FEFB130000-0x000007FEFB141000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-32-0x000007FEFB150000-0x000007FEFB16D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1428-31-0x000007FEFAFF0000-0x000007FEFB001000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-28-0x000007FEF6F10000-0x000007FEF6F27000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1428-26-0x000007FEF5A00000-0x000007FEF5CB6000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1428-30-0x000007FEF64D0000-0x000007FEF64E7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1428-25-0x000007FEF6510000-0x000007FEF6544000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1428-29-0x000007FEF64F0000-0x000007FEF6501000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1428-27-0x000007FEF74D0000-0x000007FEF74E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1536-295-0x0000000074510000-0x0000000074746000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1536-291-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1536-306-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/1536-307-0x0000000074510000-0x0000000074746000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2552-252-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download

    • memory/2552-257-0x0000000074520000-0x0000000074756000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2552-292-0x0000000074520000-0x0000000074756000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2552-282-0x0000000021C90000-0x0000000021D7F000-memory.dmp

      Filesize

      956KB

      Download