f529fccbca5cbe72b562bca6e48a17917fff867cc2e7abf2629ece002c6f1118

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msq.tar
Size

11.5MB
MD5

9573e2ebda676ca274ef34e74f1ae9cb
SHA1

6c1ff92f8badc7a0bef87ea304d3cff54ffd03ea
SHA256

f529fccbca5cbe72b562bca6e48a17917fff867cc2e7abf2629ece002c6f1118
SHA512

9c7667fed2c786bba1e0ef1e233770d9f84cc6df9056a4801d49ea3303d88907a2df3541b8f05000a4c217c3413f3bd9e3ad8b6b6aa69514cf177dbae91aa0e2
SSDEEP

98304:TZsc9iv1N7DB+T2/oOR/GUa5l7SoQE+MEAQ4MCe6NKMXy08c2fcRFAnQczQXR9OE:0a3RBP506NRXV8c2fcRFAn2h9O3uLB

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.text	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.comment\ = "comment_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.data	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.text\ = "text_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.data\ = "data_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\comment_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.comment	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\data_auto_file\shell\open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3068	7zFM.exe
2964	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3068	7zFM.exe
Token: 35	3068	7zFM.exe
Token: SeSecurityPrivilege	3068	7zFM.exe
Token: SeSecurityPrivilege	3068	7zFM.exe
Token: SeSecurityPrivilege	3068	7zFM.exe
Token: SeSecurityPrivilege	3068	7zFM.exe
Token: SeSecurityPrivilege	3068	7zFM.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe
3068	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3064	AcroRd32.exe
3064	AcroRd32.exe
1768	AcroRd32.exe
1768	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2736	3068	7zFM.exe	31
PID 3068 wrote to memory of 2736	3068	7zFM.exe	31
PID 3068 wrote to memory of 2736	3068	7zFM.exe	31
PID 2736 wrote to memory of 2764	2736	rundll32.exe	32
PID 2736 wrote to memory of 2764	2736	rundll32.exe	32
PID 2736 wrote to memory of 2764	2736	rundll32.exe	32
PID 3068 wrote to memory of 2196	3068	7zFM.exe	34
PID 3068 wrote to memory of 2196	3068	7zFM.exe	34
PID 3068 wrote to memory of 2196	3068	7zFM.exe	34
PID 2196 wrote to memory of 3064	2196	rundll32.exe	35
PID 2196 wrote to memory of 3064	2196	rundll32.exe	35
PID 2196 wrote to memory of 3064	2196	rundll32.exe	35
PID 2196 wrote to memory of 3064	2196	rundll32.exe	35
PID 3068 wrote to memory of 2964	3068	7zFM.exe	37
PID 3068 wrote to memory of 2964	3068	7zFM.exe	37
PID 3068 wrote to memory of 2964	3068	7zFM.exe	37
PID 2964 wrote to memory of 2012	2964	rundll32.exe	38
PID 2964 wrote to memory of 2012	2964	rundll32.exe	38
PID 2964 wrote to memory of 2012	2964	rundll32.exe	38
PID 3068 wrote to memory of 908	3068	7zFM.exe	39
PID 3068 wrote to memory of 908	3068	7zFM.exe	39
PID 3068 wrote to memory of 908	3068	7zFM.exe	39
PID 908 wrote to memory of 1768	908	rundll32.exe	40
PID 908 wrote to memory of 1768	908	rundll32.exe	40
PID 908 wrote to memory of 1768	908	rundll32.exe	40
PID 908 wrote to memory of 1768	908	rundll32.exe	40
PID 3068 wrote to memory of 2172	3068	7zFM.exe	41
PID 3068 wrote to memory of 2172	3068	7zFM.exe	41
PID 3068 wrote to memory of 2172	3068	7zFM.exe	41
PID 2172 wrote to memory of 2428	2172	rundll32.exe	42
PID 2172 wrote to memory of 2428	2172	rundll32.exe	42
PID 2172 wrote to memory of 2428	2172	rundll32.exe	42

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\msq.tar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCFB3FCC6\.text
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCFB3FCC6\.text
    3⤵
    PID:2764
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCFBDBD57\.comment
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCFBDBD57\.comment"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3064
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCFBF9AD7\__libc_atexit
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCFBF9AD7\__libc_atexit
    3⤵
    PID:2012
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCFBC8248\pass
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCFBC8248\pass"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1768
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCFB2BD88\.data
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCFB2BD88\.data
    3⤵
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCFB2BD88\.data

Filesize
19KB

MD5
83bd5d1a26ab27ea23b80788c33aef07

SHA1
2815841bef9f6e4b6d9122a1072c11faa524cbbc

SHA256
7a672ae2abd66d170d2ee35d05fd7757779731b1964885a1b6694730cad44a75

SHA512
854ac096cae90c274a3a630c7758aa074164b5af45efb7a641c06dfc7c146e9c3de711cbc4e74429688a0b5e637bd092ade0b7dd99fce7244d2742e7eec61174

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFB3FCC6\.text

Filesize
2.9MB

MD5
2df22bef7849bf0c7a53b85839d0147c

SHA1
4ac8a2cab67fc6397e7a95daf8cc445eb86701e0

SHA256
7ec8c1a899618135aeaa7bdf12f1097d01472b93afcca3eada457540f7660f52

SHA512
a85cb38cc09f026fb656f5ae930dcbabfeb305240357f9f54cb8a9534a673c4078bf8be93ef53c4f49c89cf00290e26093a3ad54774db1f24a08443801787f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFBC8248\pass

Filesize
3.1MB

MD5
16cfbb3a9e403bf731ac4bf2bf8e037a

SHA1
1bbf8c0d935a13308a32d91463851aa657618143

SHA256
788bb731c8daae0b306416f6d7fe136efd865f2a7313a0b4bf2f650fee5c72a4

SHA512
608f2d6eac45d032328b369211d171010ab72955f035089c8b5f04f45d98aa0b084810199804a09482a07e68ac92917e30065e9e3018a0315a95c19d61808b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFBDBD57\.comment

Filesize
125B

MD5
360c0c61b0ec3c486834cb851826878a

SHA1
72a5b5a2d31b3de1cf56f8cb11bf4233750570d3

SHA256
611f25f9197a8ffa4162475a3a0baa2c6440d2d5cc4c5a6d0fb67dc5cd1770bb

SHA512
d4748655772dd88ecb3fd970d1a1f10aa34d7a6102870fd814a2710b1b0ce56f47b545bb5a46a93cbbeb258864ad6f5b2412c6f5e9769d457504becad1d6d09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFBF9AD7\__libc_atexit

Filesize
4B

MD5
bbd91989d9f51a35c7624921f3019994

SHA1
e3454509b9a8a74e6f0dba274d72b0de81be7fc8

SHA256
72d3e5147ee79c25d104d1cb1864443287ad70b48a0188f294d9e1e5230bc3d9

SHA512
408d5f51aaad4f7214f391c0f3a8854d44ad6a64e15cf46f606f83a15e17801da52ad58db2804ea5f92d0b3508d433f64e3354a640fa2dc043970117e5355018

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8c20dc4b430dea4cea56cca27662844a

SHA1
9df211ea521aad844576112d4f7f6e0cc4cc8ad7

SHA256
58fdab3ac712db9e40610c59303487a14591970607ce95714d67347150fab5ed

SHA512
23fc8c18535d3394b16b8f6c9ace9958fdbe9b48ce4d7860af0ce694b079f438c141978c07f3c56517df6b43b13d7dc257c51b85a20aa7834b6005c22612238e

Download Submit