7d4c8704094207a1cb9a3a6fd9abb5130a05c718e6fbf47179a89d045bd25852

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

illil.zip
Size

152B
MD5

a392d3ea1273190dac1c392ea3742e66
SHA1

7cb70c753b59b36657eb4c2d4aef0168fccedb2e
SHA256

7d4c8704094207a1cb9a3a6fd9abb5130a05c718e6fbf47179a89d045bd25852
SHA512

e590f80e3bfb7a89773e5e261f8552eb12ce632c540cfbc5ff505ff36e20bac34f672337c471d7b05f897ee85fd65e147ea2c63ecfa5208b6753ad2a54372123

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	7zFM.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2508	7zFM.exe
2852	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2508	7zFM.exe
Token: 35	2508	7zFM.exe
Token: SeSecurityPrivilege	2508	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2508	7zFM.exe
2508	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	AcroRd32.exe
2852	AcroRd32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\illil.zip"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2508

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\illil.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
04edb93ea1501245770250f107621ee1

SHA1
20c4f2a3b76deca310b9cac31d1c475558678266

SHA256
20ee2df1b87c5718893bd63a6ce6fc37d6e9f6001529e845324c9a8b0c171aa3

SHA512
0fcc3a2617063a711c889c7461fcc3a9a127abc07b0b3ee51708d72ca1f69ad4992a6d012c63fe1ecde54ffef5514b175be69b725392735fbd0acb85f981ac67

Download Submit