1d144d8d909acdc149adeefd0434914dbc0c385aa45b70798927e1e564a2fcb3

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20-09-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7tt_setup.exe
Size

1.8MB
MD5

8b4f8b4ed27c1e4a701c8d653665cd50
SHA1

0e052e38eec0bb02d695392f145330be2cac08c4
SHA256

1d144d8d909acdc149adeefd0434914dbc0c385aa45b70798927e1e564a2fcb3
SHA512

804d16097812ea42db117f60485218546e6571b4808ef6394425cea0f23dd1f532898a815a86a471b2ddd890dfa8a380f968cfea1fc05352c1c85e40c792cfa7
SSDEEP

49152:KcCNRQ3JmgQt8rEd2PhW+OfuhJYdET7fXeXKNrSxt7:K+mgQQ+Iq2hJO47/eMg

Score

10^/10

discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 864 created 3340	864	7tt_setup.exe	52

Executes dropped EXE 1 IoCs

pid	Process
1184	7+ Taskbar Tweaker.exe

Loads dropped DLL 3 IoCs

pid	Process
864	7tt_setup.exe
864	7tt_setup.exe
864	7tt_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\7 Taskbar Tweaker = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\7+ Taskbar Tweaker\\7+ Taskbar Tweaker.exe\" -hidewnd"	7tt_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7tt_setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1184	7+ Taskbar Tweaker.exe
1184	7+ Taskbar Tweaker.exe
1184	7+ Taskbar Tweaker.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1184	7+ Taskbar Tweaker.exe
1184	7+ Taskbar Tweaker.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1184	864	7tt_setup.exe	79
PID 864 wrote to memory of 1184	864	7tt_setup.exe	79

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\7tt_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7tt_setup.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- C:\Users\Admin\AppData\Local\Programs\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe
  "C:\Users\Admin\AppData\Local\Programs\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\7+ Taskbar Tweaker\7+ Taskbar Tweaker.exe

Filesize
478KB

MD5
2a3fb32d226697b187e096ef015e4721

SHA1
4e8d22135072f9a61e517300b25477ee7db9c038

SHA256
8d5ae8da6321c571dd089afcf4c5eb0cc147d22df26a3707b9b2980ecac9af78

SHA512
4e828c3d8b09b4c9df6552d8c37def969d85ef25b26a266ec3ef57353c734fe4f96b2b1a63310ba9d98d85b2d24b5eb5600c2d213927ca86063019fffbdd532a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9925.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9925.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9925.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads