cfd8048f1244c8a839a6ecae5d014013d15e4efe1a387869889a2e2def82a3af

Resubmissions

19-09-2024 07:29

240919-jbcapsxeqk 7

19-09-2024 07:27

19-09-2024 07:21

19-09-2024 07:04

19-09-2024 07:04

19-09-2024 07:00

Analysis

max time kernel
135s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.rar
Size

4.3MB
MD5

d2d30eb66c8919cb33dd969b3aaff546
SHA1

2719e1527820a076c540f40b4342be09b2e1b66e
SHA256

57d0aa2a1d890f1b58a8b361c7cc2e1ef1829743f9e68a17e0e076b24ee6cb93
SHA512

3fcd0721272d09575452b672bc824a915efe32c9fb72e3357ab00c19b52d91079c02f62096d3b665f607f2afedcdff1f4c82f6e849204a30e28bc7af0d46ec6d
SSDEEP

98304:gCdtJmBbsufP6iry6PXnMtWNQrMob5rJB+n2lb:gCd/0bLfPb26f8QgrJVlb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
424	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe

Loads dropped DLL 12 IoCs

pid	Process
424	internationalPaymentDetails .exe
424	internationalPaymentDetails .exe
424	internationalPaymentDetails .exe
424	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	internationalPaymentDetails .exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	internationalPaymentDetails .exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	internationalPaymentDetails .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	internationalPaymentDetails .exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
424	internationalPaymentDetails .exe
5092	internationalPaymentDetails .exe
1008	internationalPaymentDetails .exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	2124	7zG.exe
Token: 35	2124	7zG.exe
Token: SeSecurityPrivilege	2124	7zG.exe
Token: SeSecurityPrivilege	2124	7zG.exe
Token: SeRestorePrivilege	1960	7zG.exe
Token: 35	1960	7zG.exe
Token: SeSecurityPrivilege	1960	7zG.exe
Token: SeSecurityPrivilege	1960	7zG.exe
Token: SeDebugPrivilege	424	internationalPaymentDetails .exe
Token: SeDebugPrivilege	424	internationalPaymentDetails .exe
Token: SeDebugPrivilege	424	internationalPaymentDetails .exe
Token: SeDebugPrivilege	5092	internationalPaymentDetails .exe
Token: SeDebugPrivilege	5092	internationalPaymentDetails .exe
Token: SeDebugPrivilege	5092	internationalPaymentDetails .exe
Token: SeDebugPrivilege	1008	internationalPaymentDetails .exe
Token: SeDebugPrivilege	1008	internationalPaymentDetails .exe
Token: SeDebugPrivilege	1008	internationalPaymentDetails .exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	7zG.exe
1960	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\123.rar
1⤵
- Modifies registry class
PID:788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4544

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\123\" -spe -an -ai#7zMap4661:86:7zEvent21637
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\123\" -spe -an -ai#7zMap27052:64:7zEvent5481
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe
"C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe
"C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe
"C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\123\internationalPaymentDetails\ActionCenter.dll

Filesize
2.8MB

MD5
6600755c2a115ab24862611227e83e3d

SHA1
2067379db6a1817513c0f5de5640906bb7168f78

SHA256
c4b436e2b74e8b98bccf9ec8348fbbd6384d309c5c67d2fb995293d380e9bc31

SHA512
fb94b75c6dad7d4d55b79cbbdb8564c0aca5d3ece2a743bbcc169df4070a8444a344c8d221fc5894de85cbc10d555bc4d0cd4a70d91f623bc05d38f9ba94ebe5

Download Submit
C:\Users\Admin\Desktop\123\internationalPaymentDetails\VCRUNTIME140.dll

Filesize
107KB

MD5
146eb6b29080a212b646289808ae0818

SHA1
e5d9801f226ecd3af662df225f751ae8a8934357

SHA256
f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743

SHA512
0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58

Download Submit
C:\Users\Admin\Desktop\123\internationalPaymentDetails\cors

Filesize
281KB

MD5
fc514d0a4ee2ed23157d0ec1f767d1b0

SHA1
c2675e3ac646837e17441b699eb30445053d8b1e

SHA256
15a2e189ab11cd32e599eb6aebfca559047a882d5137a39c97f0136f64143bb2

SHA512
7f6aa5ae7f17f87a960d40155a05b98d80572f59cfc6b4bee6ccf2383d356977861061400b48aadb91b5cc3ec24da1c6c637f15d72fd1c7fac1bcc2835813b85

Download Submit
C:\Users\Admin\Desktop\123\internationalPaymentDetails\internationalPaymentDetails .exe

Filesize
24KB

MD5
dbf001709c85cb1040c86b56dd29e02a

SHA1
8d1c67f18756fc93af61c45a7ccdd88554590c4f

SHA256
5c5ce4bf348150622adb9f71ed42879c4a5ebf99c94c2be940141d28f2c8275d

SHA512
7e59d49be1d670a3b74af5a4340c7d3f041f3a690fbf9d3f35ee9111ae5e6dc56b2486dd8e044f2c88c7d439a35821fa75164e74c7d7456c3e70b78420dc409e

Download Submit
C:\Users\Admin\Desktop\123\internationalPaymentDetails\jli.dll

Filesize
3.3MB

MD5
e183e315399e95064a29ed71d1dad374

SHA1
a1ccec3ca697bdd54faa8224b91c529bd24428a0

SHA256
2a11f2efc2b73b145409846a2956f620e76cbc8bd2d3ec023ca9dfa1e63b3ad2

SHA512
ec79c813c1ba3f49e8a91abe5aa51a28e1b179e73078d5abc14206a7e9830b969c0f6f6ca010c72d608bc34144f7e8f1be5a36910560ef8058fa23cab225baaa

Download Submit
\Users\Admin\Desktop\123\internationalPaymentDetails\Hoister.dll

Filesize
3.9MB

MD5
8a526ac02b6071c5cf74d7b88442cada

SHA1
7468d665d709baf9f5d4bc76465a84f13723beb2

SHA256
69e3ef284301526f65711083898f3e3c8ed5001f96d59c59a6bff1456c6166db

SHA512
2a81735d205097e0d16b254b9f0299c5ef84033d1447b6da03476001860ba4c92a6b8b8ad4e6262d35e7b1da672582fe9f372569eb55f2c3a6288b00554456d8

Download Submit