c1861b06a39280c8a5168f5d7b3f92f7376827e2d5a8f5818c9124ca39b79b5a

Analysis

max time kernel
147s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surs.zip
Size

16.8MB
MD5

9d8f969f75a0ca286c2136bd3f40f715
SHA1

0a5c8389756543598fda4f96a6ec39b1a36ebc65
SHA256

c1861b06a39280c8a5168f5d7b3f92f7376827e2d5a8f5818c9124ca39b79b5a
SHA512

972bd84b72d243cbcb92bbc8cca75a18efa793b6b710e6fccfc8950b60a62349f05c4b3f619dc8d4e7c453174ceaa91545009334caebf49685afef0c670f12f3
SSDEEP

393216:ScGZay/zj0EM+uJrbhjq0iNzEFC2ZZuyq1qa1Xdz2ubFnejeLECP:S7aG0NJnhj8p6ZuyGq+l2ubleCf

Score

1^/10

Malware Config

Signatures

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2700	7zFM.exe
Token: 35	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe
Token: SeSecurityPrivilege	2700	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe
2700	7zFM.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3924	2700	7zFM.exe	80
PID 2700 wrote to memory of 3924	2700	7zFM.exe	80
PID 3924 wrote to memory of 2224	3924	cmd.exe	84
PID 3924 wrote to memory of 2224	3924	cmd.exe	84
PID 3924 wrote to memory of 2000	3924	cmd.exe	85
PID 3924 wrote to memory of 2000	3924	cmd.exe	85
PID 2700 wrote to memory of 1400	2700	7zFM.exe	86
PID 2700 wrote to memory of 1400	2700	7zFM.exe	86
PID 1400 wrote to memory of 2056	1400	cmd.exe	88
PID 1400 wrote to memory of 2056	1400	cmd.exe	88
PID 1400 wrote to memory of 2864	1400	cmd.exe	89
PID 1400 wrote to memory of 2864	1400	cmd.exe	89
PID 2700 wrote to memory of 1572	2700	7zFM.exe	95
PID 2700 wrote to memory of 1572	2700	7zFM.exe	95
PID 1572 wrote to memory of 2932	1572	cmd.exe	97
PID 1572 wrote to memory of 2932	1572	cmd.exe	97
PID 1572 wrote to memory of 4912	1572	cmd.exe	98
PID 1572 wrote to memory of 4912	1572	cmd.exe	98
PID 2700 wrote to memory of 4144	2700	7zFM.exe	101
PID 2700 wrote to memory of 4144	2700	7zFM.exe	101
PID 4144 wrote to memory of 2608	4144	cmd.exe	103
PID 4144 wrote to memory of 2608	4144	cmd.exe	103
PID 4144 wrote to memory of 2988	4144	cmd.exe	104
PID 4144 wrote to memory of 2988	4144	cmd.exe	104
PID 2700 wrote to memory of 4288	2700	7zFM.exe	105
PID 2700 wrote to memory of 4288	2700	7zFM.exe	105
PID 4288 wrote to memory of 3904	4288	cmd.exe	107
PID 4288 wrote to memory of 3904	4288	cmd.exe	107
PID 4288 wrote to memory of 4860	4288	cmd.exe	108
PID 4288 wrote to memory of 4860	4288	cmd.exe	108
PID 2700 wrote to memory of 1748	2700	7zFM.exe	109
PID 2700 wrote to memory of 1748	2700	7zFM.exe	109
PID 1748 wrote to memory of 1368	1748	cmd.exe	111
PID 1748 wrote to memory of 1368	1748	cmd.exe	111
PID 1748 wrote to memory of 2500	1748	cmd.exe	112
PID 1748 wrote to memory of 2500	1748	cmd.exe	112

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Surs.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8A34B97\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:2224
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8A34B97\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8A3FAA7\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:2056
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8A3FAA7\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8AE3248\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:2932
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8AE3248\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8A8C4C8\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:2608
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8A8C4C8\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8A64ED8\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:3904
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8A64ED8\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8A148D8\gradlew.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java.exe -version
    3⤵
    PID:1368
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "java.exe" "-Dorg.gradle.appname=gradlew" -classpath "C:\Users\Admin\AppData\Local\Temp\7zOC8A148D8\\gradle\wrapper\gradle-wrapper.jar" org.gradle.wrapper.GradleWrapperMain
    3⤵
    PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1704

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
6dfba5b16c9581bdeda814832d433a04

SHA1
6a263c136290cf417aaf1d07cae8cca9436ef659

SHA256
ae5330a2833f1097984cf1ea02f093e9f0454cf837a921cf3add211b1b10b001

SHA512
eafaf562a2a289d43d29b3413689e1bdd52737ff88bdf3e7c90d93447fe6521505e51c42a057b82bc70c2121ca6509a07f4bc1a5681153a2a648b2f672dfead2

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1ecee20f5ecb63246376bc4580bbfa8b

SHA1
3167cf4f60f34bee7b883c8fcf5f8d6500317fe9

SHA256
57debfbd88a816ebbdb7368e5b1d52dd40e0297d864160c7124b2b7a933ae8e3

SHA512
87b85db6f2b8e75ce7ac3a316a289dadc75273742c1ab4020aa6a979631a9526ee7c8f058bc7fad0f3aa48e8a7a0b9602cf89e503fe635697d35df621062107a

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a37bfb37d12cf03dc48a299067c829fa

SHA1
6b1cd121dc5c2dc77339f773dde1b685357c44c4

SHA256
72e0c1f74386a6bb1aeb6be31638e67e9f5ad65ff163897c4774c6ed2992887a

SHA512
52774d66e4b49fe289f77870921c3f9af014e9c800afdecf685d9726d5459eb5bc6df085c1eacabda82a166c7be3b83f5a9bb59634ee9d6a0975a0bf17d6e61c

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
88beb3cd827c2651b312ff457de2b617

SHA1
cc6e2c9816ec85787b871ad5dc4d376bad5aed5a

SHA256
53f5f591a0fe7f1bcfc8c5dd6b7bdb779f7654e04523bee38e1c46978f3a93a4

SHA512
c6515938b46f3c40ff541700e550a573020090856e3ea1a731e6f90d318efa657af91292414dcb8a4fd449c2101db78040dd51f62d8adcee2aca0834101276f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\92574e46-b00b-4b7c-92af-b793097f0ac2.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC8A34B97\gradlew.bat

Filesize
2KB

MD5
b19dcfdb742582b6ccb4e0f4c77791b1

SHA1
aad30867c46885fcfc019c318138b0f62fa53172

SHA256
2f18fc6abd50803de7b3a225038d284268904c9d13caa6cf81f99365dc876479

SHA512
9336d2e0d52322fad871f89130903c8f0a14fa6be6579f653c7959d83d0fde7a99106e7878aa3168713c0ce1a0904f72527ddca99543016dbe54d7fe109fd9eb

Download Submit
memory/1368-174-0x000001AC5BFB0000-0x000001AC5BFB1000-memory.dmp

Filesize
4KB

Download
memory/2000-30-0x000002C4C92F0000-0x000002C4C92F1000-memory.dmp

Filesize
4KB

Download
memory/2056-47-0x0000016EB95D0000-0x0000016EB95D1000-memory.dmp

Filesize
4KB

Download
memory/2224-18-0x0000024B80000000-0x0000024B80270000-memory.dmp

Filesize
2.4MB

Download
memory/2224-17-0x0000024BFCCD0000-0x0000024BFCCD1000-memory.dmp

Filesize
4KB

Download
memory/2224-7-0x0000024B80000000-0x0000024B80270000-memory.dmp

Filesize
2.4MB

Download
memory/2500-186-0x000002AA234D0000-0x000002AA234D1000-memory.dmp

Filesize
4KB

Download
memory/2608-114-0x00000193B44B0000-0x00000193B44B1000-memory.dmp

Filesize
4KB

Download
memory/2864-60-0x0000028ABC2F0000-0x0000028ABC2F1000-memory.dmp

Filesize
4KB

Download
memory/2932-78-0x00000170BA6A0000-0x00000170BA6A1000-memory.dmp

Filesize
4KB

Download
memory/2988-126-0x0000013B1F9C0000-0x0000013B1F9C1000-memory.dmp

Filesize
4KB

Download
memory/3904-144-0x0000014B622E0000-0x0000014B622E1000-memory.dmp

Filesize
4KB

Download
memory/4860-156-0x000001EFF6480000-0x000001EFF6481000-memory.dmp

Filesize
4KB

Download
memory/4912-90-0x000001C32D360000-0x000001C32D361000-memory.dmp

Filesize
4KB

Download