Resubmissions

06-11-2024 08:50

241106-krjv6azjcn 7

06-11-2024 08:48

241106-kqtc7sxfll 7

Analysis

  • max time kernel
    357s
  • max time network
    357s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 08:50

General

  • Target

    tebo-ictview.4.0-patch.zip

  • Size

    531KB

  • MD5

    cad2506fdf50bc3cca25f582049984d0

  • SHA1

    e141d367b764623ffb37801a3c7a4a15a07988df

  • SHA256

    5217148419fc18f5b476d74431d7a437d0f4e2ca43017b8b69507d1e200b378b

  • SHA512

    34e3431a681d7b890e3e78d32f9716fc51857600d0d57e865a5c30fda780c38415fc884f2b9fc3921c3f4705d19ca192dddb76671dc1d952485d904aa250e29f

  • SSDEEP

    12288:uW+lzoSzhyYn+0gbmn9RY5fhvLddM93vQv0Os34:Dw5Fnxmmn4VxZ+3W014

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\tebo-ictview.4.0-patch.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\7zO45AB8007\tebo-ictview.4.0-patch.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO45AB8007\tebo-ictview.4.0-patch.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO45AB8007\tebo-ictview.4.0-patch.exe

    Filesize

    413KB

    MD5

    119b9c5d2a84b08854a8b1e9a73e0c58

    SHA1

    745cb6992f799ffd57d7da45d4f7bf37559b69c4

    SHA256

    2062474e6f0c7b7edf50aa3d7579301e42bc17efd77cc6fecc2edfa76d0a4930

    SHA512

    89230f04edcaad3ae125e2611a1107e266b03405c8ad9972e685a8cf25f7912e8b01f4c264257f074dee24c22165f175593195e39b237603aba586db6d8c2358

  • \Users\Admin\AppData\Local\Temp\bassmod.dll

    Filesize

    9KB

    MD5

    780d14604d49e3c634200c523def8351

    SHA1

    e208ef6f421d2260070a9222f1f918f1de0a8eeb

    SHA256

    844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

    SHA512

    a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

  • \Users\Admin\AppData\Local\Temp\dup2patcher.dll

    Filesize

    255KB

    MD5

    c23adb4c6ebb49de336656dacbb08409

    SHA1

    fe005669ca35deb73521c9905eb5722a528f2c61

    SHA256

    57a0ac99c64da6c10ef1ca5f3e007539aa3adf1e087fb3a396ccf23ebd22c5d7

    SHA512

    08c7b7a1f445790718e3d5521cbb1fe1b82c98e757df64c6e274e9c1f96a1efa5536e31d0370d7a3d7e5d40d35a4d66f58999d0ecea541de5f4f8da459f17dcf

  • memory/2708-10-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

  • memory/2708-14-0x0000000074820000-0x0000000074878000-memory.dmp

    Filesize

    352KB

  • memory/2708-18-0x0000000006330000-0x0000000006332000-memory.dmp

    Filesize

    8KB

  • memory/2708-21-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB