Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 22:11

General

  • Target

    3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe

  • Size

    9.1MB

  • MD5

    308c04f14ff0bff5e554d5975473f5b3

  • SHA1

    3e52120b1a88ea5b6a958fa5605c80f3b6b36b19

  • SHA256

    3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9

  • SHA512

    4fe68d69be8db7185196445e5577e69fb3f7600212e3bad5a51d629a8d5dfd5847a8e3b15532b1cc34465ed27c2c005b1938bf6b9fc6119092910e96bad7a99e

  • SSDEEP

    196608:9xNufAVuSI58ehsqy3QP0K5OuTf2EugphAV:9WfuI5qT3Q8YOub2QhAV

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2204
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EFC99C9C4A4812446F4C7F8DCDFFD6E C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2204\banner.jpg

          Filesize

          4KB

          MD5

          d5a55a78cd38f45256807c7851619b7d

          SHA1

          9d8269120d1d096e9ab0192348f3b8f81f5f73d9

          SHA256

          be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc

          SHA512

          959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

        • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2204\dialog.jpg

          Filesize

          12KB

          MD5

          5f6253cff5a8b031bfb3b161079d0d86

          SHA1

          7645b13610583fb67247c74cf5af08ff848079e7

          SHA256

          36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0

          SHA512

          d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

        • C:\Users\Admin\AppData\Local\Temp\CabE29.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\MSICEE3.tmp

          Filesize

          436KB

          MD5

          5788efa607d26332d6d7f5e6a1f6bd6f

          SHA1

          e7749843cc3e89bc81649087de4ad44c93d48bc6

          SHA256

          9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

          SHA512

          ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

        • C:\Users\Admin\AppData\Local\Temp\MSICF42.tmp

          Filesize

          875KB

          MD5

          01ab8034f722cbac50b8bcfc36e5b2e8

          SHA1

          b25868af5713e37c398b712f19692edd7db2d858

          SHA256

          e5c41b1af4d865b1b4b09a9fcb99a1f6eb2b2a75b148f4390298aff1ea348689

          SHA512

          25e24e4d691b1fecc6991997ace400682bb812d48374f95a14e21a9045d7905f4630f4672e88b41afd7933b11fb81c10935e49aba337b15924cfc7e814ca2558

        • C:\Users\Admin\AppData\Local\Temp\MSICFDF.tmp

          Filesize

          575KB

          MD5

          8c1a778e0754301c97a660dbf3e8303b

          SHA1

          f489c45cde796de0d23ee862948f5e50379dee60

          SHA256

          000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54

          SHA512

          010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea

        • C:\Users\Admin\AppData\Local\Temp\TarE4B.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster.msi

          Filesize

          2.8MB

          MD5

          e91c8022c878fa58ae6eca30e6f49eda

          SHA1

          f2daa2901f12893ef1d2623c1f066ad9252edc48

          SHA256

          243236bb49beaa70cd4a8fba55941597213fc18ab444b8aa992c80f2d5ec05e6

          SHA512

          abe25ba5c90a14c622773e257b0b330696985d0182090716ac1e2843dda20e9b19229fc45612e1eead708d17bd9b79615139a31cca072769d3dbd50f7389d55a

        • memory/2204-0-0x0000000000310000-0x0000000000311000-memory.dmp

          Filesize

          4KB

        • memory/2204-56-0x0000000000310000-0x0000000000311000-memory.dmp

          Filesize

          4KB