85b8d5214c0bc80b888c6a3404c2a371e3aaba32561d069f454b0af159015396

Resubmissions

28-11-2024 19:39

241128-yc84dstkfn 10

16-11-2024 19:52

241116-ylqcmssfqd 10

16-11-2024 17:56

241116-wjcyeszmht 10

Analysis

max time kernel
97s
max time network
99s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe.zip
Size

1KB
MD5

f3910b212669210383b5efcd278818fe
SHA1

1708977352c5b19d8c126797a34cd1d8eedcfd19
SHA256

85b8d5214c0bc80b888c6a3404c2a371e3aaba32561d069f454b0af159015396
SHA512

f6ab525df5e79d59f05ac7618de628e1e5bf956ce8db9add144214c2c8a64282a0ce79c46ca4b88c1f7754ab8cb7f0883a080e1096c9561edb1f455aff95b499

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2856	New Text Document.exe
2012	New Text Document.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2180	7zFM.exe
Token: 35	2180	7zFM.exe
Token: SeSecurityPrivilege	2180	7zFM.exe
Token: SeDebugPrivilege	2856	New Text Document.exe
Token: SeDebugPrivilege	2012	New Text Document.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2180	7zFM.exe
2180	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1660	2856	New Text Document.exe	33
PID 2856 wrote to memory of 1660	2856	New Text Document.exe	33
PID 2856 wrote to memory of 1660	2856	New Text Document.exe	33
PID 2012 wrote to memory of 592	2012	New Text Document.exe	36
PID 2012 wrote to memory of 592	2012	New Text Document.exe	36
PID 2012 wrote to memory of 592	2012	New Text Document.exe	36

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2180

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2856 -s 1064
  2⤵
  PID:1660

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2012 -s 1068
  2⤵
  PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New Text Document.exe

Filesize
4KB

MD5
a239a27c2169af388d4f5be6b52f272c

SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

Download Submit
memory/2012-7-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2856-5-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download