9b81a1c825f143fdec61cb16cdf2bce062cfcf56fd67df2b25c9cf67712e40ed

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch_AP.23.xx.exe
Size

2.5MB
MD5

99914bca768c86a880a933885903fccc
SHA1

e0e1f7d8c8b8353523eb50c83b27a009d6d98ede
SHA256

9b81a1c825f143fdec61cb16cdf2bce062cfcf56fd67df2b25c9cf67712e40ed
SHA512

e6340c640c1092673b4b3474c3011fc0b4393cf6f11e2d91843c56bb28dbe24f6ac722d060639313d1991a8adc357a2fa0033272d01cc7fde1b9fc15d6992a2c
SSDEEP

49152:Nc2M6TFlPSvJ5WdCBsUwrIzJWrVdvZvbWzXTnvRuUIZGx:HjYjwew5PbWzjnvRzIUx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4820	7z2201.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4084	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\7z.dll	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\he.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\en.ttt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\vi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\en.ttt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7zFM.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\License.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bg.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\de.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fur.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\br.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ga.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2201.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4680	timeout.exe
976	timeout.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: 36	764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: 36	764	WMIC.exe
Token: SeDebugPrivilege	4084	tasklist.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 436	2812	Patch_AP.23.xx.exe	84
PID 2812 wrote to memory of 436	2812	Patch_AP.23.xx.exe	84
PID 436 wrote to memory of 4680	436	cmd.exe	86
PID 436 wrote to memory of 4680	436	cmd.exe	86
PID 436 wrote to memory of 976	436	cmd.exe	87
PID 436 wrote to memory of 976	436	cmd.exe	87
PID 436 wrote to memory of 4820	436	cmd.exe	88
PID 436 wrote to memory of 4820	436	cmd.exe	88
PID 436 wrote to memory of 4820	436	cmd.exe	88
PID 436 wrote to memory of 4268	436	cmd.exe	89
PID 436 wrote to memory of 4268	436	cmd.exe	89
PID 436 wrote to memory of 1644	436	cmd.exe	90
PID 436 wrote to memory of 1644	436	cmd.exe	90
PID 436 wrote to memory of 4924	436	cmd.exe	91
PID 436 wrote to memory of 4924	436	cmd.exe	91
PID 4924 wrote to memory of 764	4924	cmd.exe	92
PID 4924 wrote to memory of 764	4924	cmd.exe	92
PID 436 wrote to memory of 4944	436	cmd.exe	94
PID 436 wrote to memory of 4944	436	cmd.exe	94
PID 4944 wrote to memory of 4084	4944	cmd.exe	95
PID 4944 wrote to memory of 4084	4944	cmd.exe	95
PID 436 wrote to memory of 1964	436	cmd.exe	96
PID 436 wrote to memory of 1964	436	cmd.exe	96
PID 436 wrote to memory of 4900	436	cmd.exe	97
PID 436 wrote to memory of 4900	436	cmd.exe	97
PID 436 wrote to memory of 4764	436	cmd.exe	98
PID 436 wrote to memory of 4764	436	cmd.exe	98
PID 4764 wrote to memory of 4984	4764	cmd.exe	99
PID 4764 wrote to memory of 4984	4764	cmd.exe	99
PID 436 wrote to memory of 2932	436	cmd.exe	100
PID 436 wrote to memory of 2932	436	cmd.exe	100
PID 2932 wrote to memory of 3844	2932	cmd.exe	101
PID 2932 wrote to memory of 3844	2932	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\Patch_AP.23.xx.exe
"C:\Users\Admin\AppData\Local\Temp\Patch_AP.23.xx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C2QCK0WP.bat" "C:\Users\Admin\AppData\Local\Temp\Patch_AP.23.xx.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\timeout.exe
    timeout /t 0
    3⤵
    - Delays execution with timeout.exe
    PID:4680
- - C:\Windows\system32\timeout.exe
    timeout /t 0
    3⤵
    - Delays execution with timeout.exe
    PID:976
- - C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Please install Avast "
    3⤵
    PID:4268
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C2QCK0WP.bat

Filesize
53KB

MD5
ffcf8a650bead451002a3ef4ec9ee8f3

SHA1
e2b8124d4ad00c665acf866e4d2c26dd813fd73f

SHA256
7bffe959852c3b8fd3e1bf2f70ea858fb90995012b6ace5b077d528fe913ed65

SHA512
4ae2555c7c1aa867b32de787f51f76b4465577af0572782371ab17a1a4ff0182db8fb84d183518972b3f35b054c5dc9b42bda4e602f70fc5c88f68fb6ae403ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\act01.7z

Filesize
7KB

MD5
a55946a71f52a69a36ef1dfc63a82dc7

SHA1
8293a107a4999b365a4a6e7722f577e03df637a5

SHA256
e4781c4b764c250479ffcdaa35ccef0af2a88de99a458ddf3e3a7c62ac162f61

SHA512
a121b99c098d646f3fa8eb76936604949fb8bebc7a62ff74d7b4626cd3bde5ab0d8df1cda928d606672f97270c2da47e3d83021616403f01474a688b270bbb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\cnf

Filesize
48B

MD5
603bb17a543c17fa1ca010f25f826b28

SHA1
8dd73ba47541af038bd02f83a856bcd776093992

SHA256
fd69a606d1b8c0803bf6326e34f8852198b0c067e90f5d8f882c0483a69fa8d2

SHA512
a08b1cddc7e2806b104766493bf4ff3e307614c3992c074d384b981c2eb1fe99ed55f68dcc2b1dab359e1134f52b2eae7ff76279b5ff192985670bee7dd7bc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5783E5.89\lic02.7z

Filesize
824KB

MD5
ca9d6a94dda72e4136dd943e513eeb0c

SHA1
5a5900a6656e3c2d6cd994c69cce8a4a082ab4ce

SHA256
dd550a58b1055b097f0df3258752d85b7f9f7bfc392bd29c78fa546875f40693

SHA512
4ab0033ca62b8496f3818aa4c79e12df7968c5b3059f0c2f53a747d6a32311e3ee55fb2138cdf70ae1795ce3af4b673971455b987baced04c03f0ac22ac99364

Download Submit
memory/2812-232-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads