Overview

overview

10

Static

static

3

PTHAV002_2...16.zip

windows7-x64

7

PTHAV002_2...16.zip

windows10-2004-x64

1

Device/Har...23.exe

windows7-x64

10

Device/Har...23.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Resubmissions

24-10-2024 15:47

241024-s77adswhlp 10

24-10-2024 15:44

241024-s6mvcs1flg 10

Analysis

  • max time kernel
    80s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PTHAV002_2024-10-24_15_43_35.016.zip

  • Size

    787KB

  • MD5

    5a2c6cfffcac05ee6c740c0f7565375e

  • SHA1

    a097fa2843dd14bcfb671e65d2a6c1609cc583fd

  • SHA256

    859571a129deed67ebc60c7e2e5d48b1e1282121e11d1d696e9cac88fa7c3643

  • SHA512

    2a29df18728198eef81a8c568e81d47aad79826d38f15aad54be5c260a9528a2a86ebb4a3126a15a127efff5cbee21765abac51fd83a0b84889858ef1971f197

  • SSDEEP

    24576:n/JgJcJ7c3Zd02xS3KNcFz3As/MFdL4qNj:nhgJc5cpd02x9cFzzYXNj

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2696
  • C:\Users\Admin\Desktop\factura 563423.exe
    "C:\Users\Admin\Desktop\factura 563423.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2896
    • C:\Users\Admin\Desktop\factura 563423.exe
      "C:\Users\Admin\Desktop\factura 563423.exe"
      2⤵
        PID:3192
    • C:\Users\Admin\Desktop\factura 563423.exe
      "C:\Users\Admin\Desktop\factura 563423.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2420
      • C:\Users\Admin\Desktop\factura 563423.exe
        "C:\Users\Admin\Desktop\factura 563423.exe"
        2⤵
          PID:3148
      • C:\Users\Admin\Desktop\factura 563423.exe
        "C:\Users\Admin\Desktop\factura 563423.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3008
      • C:\Users\Admin\Desktop\factura 563423.exe
        "C:\Users\Admin\Desktop\factura 563423.exe"
        1⤵
          PID:3136
        • C:\Program Files\7-Zip\7zG.exe
          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap12206:86:7zEvent20461
          1⤵
            PID:3024
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap30890:86:7zEvent27328
            1⤵
              PID:2888
            • C:\Program Files\7-Zip\7zG.exe
              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2082:86:7zEvent735
              1⤵
                PID:2752

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Cab3AC0.tmp
                Filesize

                70KB

                MD5

                49aebf8cbd62d92ac215b2923fb1b9f5

                SHA1

                1723be06719828dda65ad804298d0431f6aff976

                SHA256

                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                SHA512

                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423.exe
                Filesize

                901KB

                MD5

                6cb35cad38c80bbb552c99caf75f9371

                SHA1

                f1dcc7d9805738aaf1f30b32383674ea30706269

                SHA256

                057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf

                SHA512

                638594b7228a8e747c34f1ab7916774feaff1ce58e875e64bb28cc6742472a305c5aa06e709ec708aad990d9e78ce828509af8a575b3fe62082699de1bb81734

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Hematomancy42.txt
                Filesize

                274B

                MD5

                4da37058224bd7b59229bb611e105f39

                SHA1

                1da82b8c8f86e54f744aff64c798e84d1c70e4eb

                SHA256

                4f6eb70f672b677aaa6a534a1bfe8834e2608b72957d57df8089665816ddd90e

                SHA512

                f839f7fbfedd517cf9a9c253ced6641f1d7cdb69694ba6ed939500ff99fe5247976c09ec915675d8691c04b80ba2f8e49068b4f916904bde994b4051abe3e98e

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Rvegraves.rej
                Filesize

                200KB

                MD5

                84523a696370eab2f84cc398ffd50054

                SHA1

                9279a88692c419da715b74828f456ef4756ee7a0

                SHA256

                8bf70ce6c463271b6bb4e259d1cbf5ae228751ccf95c5b69756cbeb9de60be95

                SHA512

                40d04c68c156e120eef4463962d0dfb96e48a86709a3f162c4c1aa2c840f6058881ccda0d9006c35bbbe5bdde40eb27b1ddc0f71262cd682f37601992d9d853a

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\Fortovs\southwestern.gor
                Filesize

                241KB

                MD5

                79ad4943801e304b83e39774d00ed227

                SHA1

                e3ed1c0c871e490194fad68584d401104e0d2bd6

                SHA256

                1c0cc2363d16826b2c8d36d983e883e3d81e12df8456e3512bf80e7de28c9583

                SHA512

                497dc447dd0bd52479445e7fce633427e17dcb02546e876b9ad6945a2c1186de20c26f7ea324ebb8608bf76b16846b738c8fba138004da07a7494e743e925481

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\Hjortetakkens.pro
                Filesize

                368KB

                MD5

                87a52f4e6ce72e090d982511c93e363e

                SHA1

                c6a263c8afd9d2fc60fc7a07a8449f8a8cbd713d

                SHA256

                838472456a1b5905bec73fe10a4afc9a09c01dfa3ff108deb1ceb57fac83718f

                SHA512

                1d1f3973faebb73c0989d3fc991adad9f444ca36f7ea2c5fc0443769fde9e11c6eb1cbd2c6143c5da9167f2176c298d169a828b466826a6fde68e61961387b58

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\Sluttidspunktets.ace
                Filesize

                218KB

                MD5

                27a799752643f5e96c57957dd115f836

                SHA1

                c25dbe476573cbb94df8cb43cbbb7446e57b5bd4

                SHA256

                6770149a0d8af75d3d8df950cf3d1a8475fc73e60ef9e3bd03ad04a2001035e7

                SHA512

                fc46c8bd1186b0381e0f4679cb0844456dde98e62c47888c4eefdddc34c56274ab739c21c1dad4c75473a74a188698d9a268e07cd66c33464619ff6094ccf66f

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\crappin.fan
                Filesize

                329KB

                MD5

                e2701f9b21e2e3383c23d42a8a80f0cd

                SHA1

                b48623eb7f31a6e559cb276cec52b8629f28688f

                SHA256

                4cbc5303baa96a022304acac34ad9cbf9db661e89bf603ca872b0f38e2c7f3b7

                SHA512

                c3d53de9228dbcc8498be846562a4630a35a321bab5344bd2ca4452b8c161405785a65ad2425b8764c0e95479f230fd8f78bf5501cad820deba8e5563621a122

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\legaliserende.tro
                Filesize

                449KB

                MD5

                a372469d5ea672a9c76fdcfe1127b8df

                SHA1

                25129be715c8a42ececfc70330e29a8bb7d21e14

                SHA256

                3eb84177ebd5ca99880fee24652579f356008c29ff31e8e0f157693c3e16cc69

                SHA512

                15179350720dec225250a113603e1b7d9f11d7556365dcf61f150d775ddfdb930fd08079f6d933c108d3748e63118b5d5d7017b2f29657af6ff07eb826d36d20

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\momentousments.afr
                Filesize

                320KB

                MD5

                c6cca0bf9fb8cc569e1edbb70f5ab95e

                SHA1

                fa9a3e70d31a5009f0d63d88ea8d224763936862

                SHA256

                705a96fff4440f49a231e8d17b289d97786ec373aa5b39fdad48b410dca53ea8

                SHA512

                efa09455d16f63322bd81986aeccc65aeab92a601aa11eb68725afcb3f61965510ffea65bb87a89a0123263189e6a4200958582f135b3c5bb0a023fddda35911

                Download Submit

              • C:\Users\Admin\Desktop\factura 563423\chagul\programdels.fla
                Filesize

                475KB

                MD5

                b0f8a54823350c2f31d2bb230615afb1

                SHA1

                6f46b1e8491247556108d37809870f0c34fb0f7f

                SHA256

                f7161357b945d6764d2c290af7f7290c1c00a08aaaac622b45e2719ac6a50968

                SHA512

                957b98b57883b2d56186a2ac17582453d092f8ef84ac360d16c3e3ee4bc28100537df84d0f30ae880298657404e45ba29761814a5e3cf16c90510cb8175a63a3

                Download Submit

              • C:\Users\Admin\Desktop\peripheries.lnk
                Filesize

                860B

                MD5

                12661c6cccda04f3a4719c9b72a86abc

                SHA1

                0e8c6150b6c71e6e5422cc5547ad52745e8083e7

                SHA256

                a1cc70e70b85a820f970a82ce1c58524e4c15052f6b1db4620e67374eb17ba2a

                SHA512

                fe8b1771cefaf501d69e3cf1295e8174c13d8d9569684b2537aa373f89d2ea252f5c8215bc3d1aac9055938f7f45a3673ca0791f332c909eac9f605d01093a08

                Download Submit

              • C:\Users\Admin\Desktop\peripheries.lnk
                Filesize

                830B

                MD5

                a0b9574aca19808a588e1fd996cd2833

                SHA1

                0d6963cff9a899898a0015a37151a7a6390ea727

                SHA256

                ccb9592997bf91936138f0c037a1bee30f2e9236869eadc17e23da3d86457390

                SHA512

                85e90012578075e571ec0f04480d09368b5891bf6511ffa544c139a7e9aa7fb1e755807a2db72c962a79a9e910efb92c9906bb07061fb8b3da068a3661284d94

                Download Submit

              • C:\Users\Admin\Desktop\peripheries.lnk
                Filesize

                860B

                MD5

                45ebd74a4d9e6c8c6353ac7763420a80

                SHA1

                857492613707b3560a517c37312af9d972b5a99c

                SHA256

                2db87e5584d782872e760ed647480763508ecf5e97aaa37c3060dbd6eb987123

                SHA512

                f90b1ea000531b4aa9aa1212273c91fd73dfd7145ec59b7d16c184273d08207a89da33b1e7f5e09d1b38eafc103cad81a255ded5274095632b87cc3253ac443f

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nst36CA.tmp\System.dll
                Filesize

                11KB

                MD5

                cf85183b87314359488b850f9e97a698

                SHA1

                6b6c790037eec7ebea4d05590359cb4473f19aea

                SHA256

                3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

                SHA512

                fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

                Download Submit

              • memory/3148-61397-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3148-53882-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3148-62233-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3148-62232-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3192-61402-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3192-62234-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download

              • memory/3192-92813-0x0000000000400000-0x0000000001462000-memory.dmp

                Filesize

                16.4MB

                Download