Analysis
-
max time kernel
61s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-10-2024 23:42
Static task
static1
General
-
Target
The-MALWARE-Repo-master.zip
-
Size
198.8MB
-
MD5
af60ad5b6cafd14d7ebce530813e68a0
-
SHA1
ad81b87e7e9bbc21eb93aca7638d827498e78076
-
SHA256
b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
-
SHA512
81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
SSDEEP
6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x001c00000002ab49-482.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 1960 Avoid.exe 3128 ChilledWindows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Avoid.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{616E88EA-E40E-4A04-A193-E39997B24121} ChilledWindows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3872 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 3872 7zFM.exe Token: 35 3872 7zFM.exe Token: SeSecurityPrivilege 3872 7zFM.exe Token: SeShutdownPrivilege 3128 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3128 ChilledWindows.exe Token: 33 2536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2536 AUDIODG.EXE Token: SeShutdownPrivilege 3128 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3128 ChilledWindows.exe Token: SeShutdownPrivilege 3128 ChilledWindows.exe Token: SeCreatePagefilePrivilege 3128 ChilledWindows.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3872 7zFM.exe 3872 7zFM.exe 1960 Avoid.exe 3128 ChilledWindows.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:872
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Avoid.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Avoid.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1960
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5d35defde3ad3faecd5955399986c9785
SHA17762067bc38abb0654f552bd5967404c57954ea3
SHA25669d351f5546d8e20aed4549148ce8b8344faa65fb64e00b248028ac408922319
SHA512cabff3a74b4b18b87b389f74c383dd79f33f17504a239deb35bb0ccf0d6f9e20b638d136ef8b3b7390f48a16e4f9398f264cc714766c8f7c032124a8737d84d0
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155