Overview
overview
7Static
static
3Release.zip
windows7-x64
1Release.zip
windows10-2004-x64
7Setup.txt
windows7-x64
1Setup.txt
windows10-2004-x64
1emu/878321.exe
windows7-x64
1emu/878321.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1index.html
windows7-x64
3index.html
windows10-2004-x64
3loader3.exe
windows7-x64
1loader3.exe
windows10-2004-x64
1Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Release.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Release.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Setup.txt
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Setup.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
emu/878321.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
emu/878321.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
index.html
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
index.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
loader3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
loader3.exe
Resource
win10v2004-20241007-en
General
-
Target
Release.zip
-
Size
1.1MB
-
MD5
047e1e654f02abeb24f95df4e34231bc
-
SHA1
54df77449d6a833b8459a319ac04e93fd84beab1
-
SHA256
89af23ff21360079b2ee8011aa959c1b4baf7ab09522e74980a6d86c2aa868dd
-
SHA512
7d21689e3df3216c22cf248489ad9faa99a2cf10f9521944be50fae61ace29a5a908480fda3c5511b98ca7c55d93c26e16956036fa5fc28561356d3b777dfdcc
-
SSDEEP
24576:FxVYnMv+gfZLNnOLgr7RSQDexlQxWGo/snKoAj4Ac7nGzglqS/7zafBISC8QE:WnWhZLNOkJSQyPYWHkXE4jbGc1/vaf7F
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1188 KeyAuthEmulator.exe 4776 loader3.exe 3600 8c9zrj.exe 2236 loader3.exe 4152 8c9zrj.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe 4776 loader3.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe loader3.exe File created C:\Program Files\Windows NT\Accessories\en-US\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb 8c9zrj.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\bjtw76.sys loader3.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe loader3.exe File created C:\Program Files\Windows NT\Accessories\en-US\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb 8c9zrj.exe File created C:\Program Files\Windows NT\Accessories\en-US\bjtw76.sys loader3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2964 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2964 7zFM.exe Token: 35 2964 7zFM.exe Token: SeSecurityPrivilege 2964 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2964 7zFM.exe 2964 7zFM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4776 loader3.exe 3600 8c9zrj.exe 2236 loader3.exe 4152 8c9zrj.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 4776 wrote to memory of 408 4776 loader3.exe 97 PID 4776 wrote to memory of 408 4776 loader3.exe 97 PID 408 wrote to memory of 1220 408 cmd.exe 98 PID 408 wrote to memory of 1220 408 cmd.exe 98 PID 408 wrote to memory of 1980 408 cmd.exe 99 PID 408 wrote to memory of 1980 408 cmd.exe 99 PID 408 wrote to memory of 2368 408 cmd.exe 100 PID 408 wrote to memory of 2368 408 cmd.exe 100 PID 4776 wrote to memory of 460 4776 loader3.exe 101 PID 4776 wrote to memory of 460 4776 loader3.exe 101 PID 4776 wrote to memory of 3484 4776 loader3.exe 102 PID 4776 wrote to memory of 3484 4776 loader3.exe 102 PID 4776 wrote to memory of 4660 4776 loader3.exe 103 PID 4776 wrote to memory of 4660 4776 loader3.exe 103 PID 4776 wrote to memory of 1428 4776 loader3.exe 104 PID 4776 wrote to memory of 1428 4776 loader3.exe 104 PID 4776 wrote to memory of 2240 4776 loader3.exe 105 PID 4776 wrote to memory of 2240 4776 loader3.exe 105 PID 4776 wrote to memory of 1968 4776 loader3.exe 106 PID 4776 wrote to memory of 1968 4776 loader3.exe 106 PID 4776 wrote to memory of 4528 4776 loader3.exe 107 PID 4776 wrote to memory of 4528 4776 loader3.exe 107 PID 4776 wrote to memory of 3016 4776 loader3.exe 108 PID 4776 wrote to memory of 3016 4776 loader3.exe 108 PID 3016 wrote to memory of 3600 3016 cmd.exe 109 PID 3016 wrote to memory of 3600 3016 cmd.exe 109 PID 2236 wrote to memory of 4964 2236 loader3.exe 119 PID 2236 wrote to memory of 4964 2236 loader3.exe 119 PID 4964 wrote to memory of 1152 4964 cmd.exe 120 PID 4964 wrote to memory of 1152 4964 cmd.exe 120 PID 4964 wrote to memory of 3052 4964 cmd.exe 121 PID 4964 wrote to memory of 3052 4964 cmd.exe 121 PID 4964 wrote to memory of 1684 4964 cmd.exe 122 PID 4964 wrote to memory of 1684 4964 cmd.exe 122 PID 2236 wrote to memory of 4344 2236 loader3.exe 123 PID 2236 wrote to memory of 4344 2236 loader3.exe 123 PID 2236 wrote to memory of 4904 2236 loader3.exe 124 PID 2236 wrote to memory of 4904 2236 loader3.exe 124 PID 2236 wrote to memory of 3064 2236 loader3.exe 125 PID 2236 wrote to memory of 3064 2236 loader3.exe 125 PID 2236 wrote to memory of 1396 2236 loader3.exe 126 PID 2236 wrote to memory of 1396 2236 loader3.exe 126 PID 2236 wrote to memory of 2944 2236 loader3.exe 127 PID 2236 wrote to memory of 2944 2236 loader3.exe 127 PID 2236 wrote to memory of 752 2236 loader3.exe 128 PID 2236 wrote to memory of 752 2236 loader3.exe 128 PID 2236 wrote to memory of 4532 2236 loader3.exe 129 PID 2236 wrote to memory of 4532 2236 loader3.exe 129 PID 2236 wrote to memory of 4504 2236 loader3.exe 130 PID 2236 wrote to memory of 4504 2236 loader3.exe 130 PID 4504 wrote to memory of 4152 4504 cmd.exe 131 PID 4504 wrote to memory of 4152 4504 cmd.exe 131
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:988
-
C:\Users\Admin\Downloads\emu\KeyAuthEmulator.exe"C:\Users\Admin\Downloads\emu\KeyAuthEmulator.exe"1⤵
- Executes dropped EXE
PID:1188
-
C:\Users\Admin\Downloads\loader3.exe"C:\Users\Admin\Downloads\loader3.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD53⤵PID:1220
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1980
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd C:\Program Files\Windows NT\Accessories\en-US\ && 8c9zrj.exe bjtw76.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe8c9zrj.exe bjtw76.sys3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3600
-
-
-
C:\Users\Admin\Downloads\loader3.exe"C:\Users\Admin\Downloads\loader3.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\loader3.exe" MD53⤵PID:1152
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3052
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLS2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd C:\Program Files\Windows NT\Accessories\en-US\ && 8c9zrj.exe bjtw76.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files\Windows NT\Accessories\en-US\8c9zrj.exe8c9zrj.exe bjtw76.sys3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5dfe8ddd56a1617a07d5c3a99131c4e75
SHA1bb307024cf33d32ac4a679bd966cb2f12f2a89cd
SHA256c135f7fff8d8210aa1f71f2fc560aa35e1a64372bf26610b693814c31fc53406
SHA51284635e4929ef075ca09d3507faae159a3d64f115075d44c8a3ebedbe2506948bb59f6b95280db08fde5903cde31a43c94d94ca79e4cfe895e5ddcb164150abaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD5be9e8d8924121c12f831ce40c1b386ac
SHA1406c46f2b991b85091e349b2484ced5834f6cc9a
SHA256d861c6ae663fd62a02264ace01246b293be07eaac463b139a2cbb77866138daa
SHA5126eb20990d8cbc361f5f33114b82d18ebd52ad9abfdc1ef4d12cacac62e91f728f1d0bf1df476868abe0be2cdd454f7423ffbca4e39603dcc01e0400e562ecd67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD5fa6a3a89d780f2d3769d485503c01033
SHA1ea211b52df010c370d3fde421a516b4c7f512ac4
SHA256153b72413f78666d280dfb656f7bdd3d8b846cf2de9de3b1947598084f4dd3d1
SHA51260862b3dc4788a652f113fc3b8790bb4f468058daee8eac09f5c02ae2bb6455d170af13217f5e4e3c95c071504286a4638a388240d61a38d6152529baff83730
-
Filesize
26KB
MD51601dd52ad1b2650ad43b8a9b204d360
SHA1728f636af02e422bf87001e6b685d4293b725871
SHA256a816e84471064911c79f247bbc79cb126e97065aaf766015669cf3fcde9dd7c4
SHA51219caf163f7a0e11f3e8f85ed8b3b488a9e078add7fd01dd44d13fb35cf3a6a1ff3288a5ab8d9a64af95f65091904125cbeaf6ea6d19f3d003ecf489e0c4af37e
-
Filesize
142KB
MD5e2702cd687534dcf328d004f13bda94a
SHA1f519ca25e18dca6c15d3d15849d8764cb6a13943
SHA256bb4b323f6d51ff84b0d9a502cb25fea638c497c07caffcb1391c4060a27c6bc1
SHA512d4726ae28db86d5adbd6c73783dd7919a3744e9e6280be4c0480ce74c5872c19dc6471c16ee05c0c441ac008e1a7fd32c01a633873bcd370c66d719924d70af0
-
Filesize
437B
MD547306d1fc832c57ab35f197f48e05864
SHA13606f87598d00701916d8ea63fb1b118cf47a418
SHA25698150b82cbb9f35dc99daa5116d9eae18adf22c11cbe245e1822ff42a254d624
SHA512cd0465b45c49d95bcf1c395d2d90fad37fcc53a7969afa3059d49abbc30d90732471398b4efc6b52fcb4b0f0878a01b3a5bf6d19fead1f18331b2fb63b118a2b
-
Filesize
25KB
MD54451edb88fdb64579dbc30f0d7d1c855
SHA19869832cb3d088edde91ffdb62aed911e8f6fe6f
SHA2565a476075a4fc6125c28cdb14e3a71af4f5a62f8e54ded8b610898ef81fc9721b
SHA512155e6ab88d527bd28902b14f335af9ec667574f56898f8d3757ada9354d3817317df201484ecf2c5c1c4569c5995bf620adc9ce65e889556cbb4410eb344ee7d
-
Filesize
135KB
MD5cf78d5995312872c075ae9772a14a5a2
SHA11de6c53b6acad6140567693f0fff7379826477a5
SHA25671fede3d07f8b24d08e15748abcd95abcfe48e21a5a71f0c96d6bf752c12252c
SHA512d4ca332800195a3a1c0dbe7c1669d91e23f5ad68c491589c8168b0040114fb761672778c39f092e8909133a1027e25e836f3951e17cffbc20e5fe5e271b0d845
-
Filesize
268B
MD59fcdf880f73e74cf6347f8194b9f3509
SHA1ab571c7ed4920129c89c7e083f3c9f22597198bc
SHA256162d81f468bec570ec15e527433f4de5d5729ffe338ab79b22671f38760d34bd
SHA51223ea2a78914aeec443bded1e6dddb1fce61f0445c53e0428e97353dcc25e9ee80a98603069de336d57c1d12b00eb14ad59847137387df330a3925bd763f4fde1
-
Filesize
64B
MD5e8365894de54b276c0d2f3b1f3d4eed7
SHA1ab75f9e802ba138fdcc5ea5b76de26d12415b1b4
SHA256f7db4f7979ab418b7c01c16de9bc2041a674afb89daa051712360244decd5763
SHA512cd54e2857a2873a4f56456bad22f260915a3e7dcfc5e90009a0c489f6e1762ba25a9cbb2f5cc900504c3b11c80602cacebf542ecc6e8b9b6dc6fb0377ff6c597
-
Filesize
2.0MB
MD5c1afc5729255d68bf6f7ac02e43935dc
SHA1ca62f75238efa0daf3521e2df1a44fc6a7784315
SHA2566cdb812daba9157f3c51ebdda2b38268f32c7ca4048e7c4364c5b354a32a0ba0
SHA512476a301a51893a79c1916ab9f45c0d45c89e8b3e81bf8108c6ac305fc602be2c720ad6cc88393b300824895d30add2454afbe4d7e1a282510e0430f4973f9fe0