Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
Flasher.zip
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Flasher.zip
Resource
win10v2004-20241007-en
General
-
Target
Flasher.zip
-
Size
236KB
-
MD5
4c8bbc6463c293014ebc570d8df35403
-
SHA1
aee8b60bbd853603234a68905e268cc45152237b
-
SHA256
646b0a869c221a54fe1f311e8576bbf9c5ee6e1e4f4f15a327115cf7951ad395
-
SHA512
aaa15c109c4a7eacd9fac1520c16c8b2a9bdc93c9b6afd29b3145e3a74d34fd07502532f28d27edc2cd8e9384657371f82555e3dab1c2c0da956c69d463bb67d
-
SSDEEP
6144:cezDNUPj8XIUMBhcU8CnCYXhVkcPa5NAxO2:ceXNoAYUMIUvCYRJa5NE
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000900000001755b-4.dat aspack_v212_v242 -
Executes dropped EXE 5 IoCs
pid Process 2612 [email protected] 2440 [email protected] 2808 [email protected] 2756 [email protected] 2384 [email protected] -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2360 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 2360 7zFM.exe Token: 35 2360 7zFM.exe Token: SeSecurityPrivilege 2360 7zFM.exe Token: SeSecurityPrivilege 2360 7zFM.exe Token: SeSecurityPrivilege 2360 7zFM.exe Token: SeSecurityPrivilege 2360 7zFM.exe Token: 33 3020 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3020 AUDIODG.EXE Token: 33 3020 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3020 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2360 7zFM.exe 2360 7zFM.exe 2360 7zFM.exe 2360 7zFM.exe 2360 7zFM.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2612 2360 7zFM.exe 31 PID 2360 wrote to memory of 2612 2360 7zFM.exe 31 PID 2360 wrote to memory of 2612 2360 7zFM.exe 31 PID 2360 wrote to memory of 2612 2360 7zFM.exe 31 PID 2360 wrote to memory of 2440 2360 7zFM.exe 32 PID 2360 wrote to memory of 2440 2360 7zFM.exe 32 PID 2360 wrote to memory of 2440 2360 7zFM.exe 32 PID 2360 wrote to memory of 2440 2360 7zFM.exe 32 PID 2360 wrote to memory of 2808 2360 7zFM.exe 34 PID 2360 wrote to memory of 2808 2360 7zFM.exe 34 PID 2360 wrote to memory of 2808 2360 7zFM.exe 34 PID 2360 wrote to memory of 2808 2360 7zFM.exe 34 PID 2360 wrote to memory of 2756 2360 7zFM.exe 35 PID 2360 wrote to memory of 2756 2360 7zFM.exe 35 PID 2360 wrote to memory of 2756 2360 7zFM.exe 35 PID 2360 wrote to memory of 2756 2360 7zFM.exe 35 PID 2360 wrote to memory of 2384 2360 7zFM.exe 40 PID 2360 wrote to memory of 2384 2360 7zFM.exe 40 PID 2360 wrote to memory of 2384 2360 7zFM.exe 40 PID 2360 wrote to memory of 2384 2360 7zFM.exe 40
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Flasher.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\7zO839018F6\[email protected]"C:\Users\Admin\AppData\Local\Temp\7zO839018F6\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\7zO839B67A7\[email protected]"C:\Users\Admin\AppData\Local\Temp\7zO839B67A7\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zO839018F6\[email protected]
Filesize246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a