Overview
overview
10Static
static
10Hotmail Checker.rar
windows7-x64
1Hotmail Checker.rar
windows10-2004-x64
1Data/Modul...io.dll
windows7-x64
1Data/Modul...io.dll
windows10-2004-x64
1Data/Modul...pi.dll
windows7-x64
1Data/Modul...pi.dll
windows10-2004-x64
1Data/Modules/Jint.dll
windows7-x64
1Data/Modules/Jint.dll
windows10-2004-x64
1Data/Modul...et.dll
windows7-x64
1Data/Modul...et.dll
windows10-2004-x64
1Data/Modul...on.dll
windows7-x64
1Data/Modul...on.dll
windows10-2004-x64
1Data/Modul...um.dll
windows7-x64
1Data/Modul...um.dll
windows10-2004-x64
1Data/Modul...he.exe
windows7-x64
1Data/Modul...he.exe
windows10-2004-x64
1Data/Modul...e1.exe
windows7-x64
10Data/Modul...e1.exe
windows10-2004-x64
10Data/Modul...xe.xml
windows7-x64
3Data/Modul...xe.xml
windows10-2004-x64
1Data/Modul...e1.pdb
windows7-x64
3Data/Modul...e1.pdb
windows10-2004-x64
3Data/Modul...s.json
windows7-x64
3Data/Modul...s.json
windows10-2004-x64
3Jint.dll
windows7-x64
1Jint.dll
windows10-2004-x64
1Start Checker.bat
windows7-x64
10Start Checker.bat
windows10-2004-x64
10settings.json
windows7-x64
3settings.json
windows10-2004-x64
3Analysis
-
max time kernel
74s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 16:42
Behavioral task
behavioral1
Sample
Hotmail Checker.rar
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
Hotmail Checker.rar
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Data/Modules/AudioSwitcher.AudioApi.CoreAudio.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Data/Modules/AudioSwitcher.AudioApi.CoreAudio.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Data/Modules/AudioSwitcher.AudioApi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Data/Modules/AudioSwitcher.AudioApi.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Data/Modules/Jint.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Data/Modules/Jint.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Data/Modules/Leaf.xNet.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Data/Modules/Leaf.xNet.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Data/Modules/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Data/Modules/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Data/Modules/Sodium.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
Data/Modules/Sodium.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Data/Modules/porsche.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
Data/Modules/porsche.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Data/Modules/porsche1.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Data/Modules/porsche1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Data/Modules/porsche1.exe.xml
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
Data/Modules/porsche1.exe.xml
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Data/Modules/porsche1.pdb
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Data/Modules/porsche1.pdb
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Data/Modules/settings.json
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Data/Modules/settings.json
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Jint.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
Jint.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Start Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Start Checker.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
settings.json
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
settings.json
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Hotmail Checker.rar
-
Size
667KB
-
MD5
25d5d8e397837f866ee0062beae405c8
-
SHA1
ed1b40f91ba22c6ee5fb78dc77fc3c3a4dc6738e
-
SHA256
0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1
-
SHA512
00fe4697e5fda99467872ff3d8ae5f45a7dea3e8cbdf5db8c935f8291c777dd095a3fc4a543171bd6c076e304a6fc1285aaedbbd6d8da24bf6badde9dc682881
-
SSDEEP
12288:8qlOkp1CyGNVql3fY308oLdCCqJEr4EnFROLyKeoc31UJmarmojLw56TmfNoj:1lOkpYyGNElvJAlO4EFRTPoYdAxj1ifE
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2572 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1628 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 1628 7zFM.exe Token: 35 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe Token: SeSecurityPrivilege 1628 7zFM.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe 1628 7zFM.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2128 1628 7zFM.exe 30 PID 1628 wrote to memory of 2128 1628 7zFM.exe 30 PID 1628 wrote to memory of 2128 1628 7zFM.exe 30 PID 1628 wrote to memory of 2940 1628 7zFM.exe 32 PID 1628 wrote to memory of 2940 1628 7zFM.exe 32 PID 1628 wrote to memory of 2940 1628 7zFM.exe 32 PID 1628 wrote to memory of 2852 1628 7zFM.exe 34 PID 1628 wrote to memory of 2852 1628 7zFM.exe 34 PID 1628 wrote to memory of 2852 1628 7zFM.exe 34 PID 1628 wrote to memory of 2572 1628 7zFM.exe 36 PID 1628 wrote to memory of 2572 1628 7zFM.exe 36 PID 1628 wrote to memory of 2572 1628 7zFM.exe 36 PID 1628 wrote to memory of 2988 1628 7zFM.exe 37 PID 1628 wrote to memory of 2988 1628 7zFM.exe 37 PID 1628 wrote to memory of 2988 1628 7zFM.exe 37 PID 1628 wrote to memory of 1652 1628 7zFM.exe 39 PID 1628 wrote to memory of 1652 1628 7zFM.exe 39 PID 1628 wrote to memory of 1652 1628 7zFM.exe 39 PID 1628 wrote to memory of 2860 1628 7zFM.exe 41 PID 1628 wrote to memory of 2860 1628 7zFM.exe 41 PID 1628 wrote to memory of 2860 1628 7zFM.exe 41 PID 1628 wrote to memory of 2032 1628 7zFM.exe 43 PID 1628 wrote to memory of 2032 1628 7zFM.exe 43 PID 1628 wrote to memory of 2032 1628 7zFM.exe 43 PID 1628 wrote to memory of 1760 1628 7zFM.exe 45 PID 1628 wrote to memory of 1760 1628 7zFM.exe 45 PID 1628 wrote to memory of 1760 1628 7zFM.exe 45 PID 1628 wrote to memory of 1424 1628 7zFM.exe 47 PID 1628 wrote to memory of 1424 1628 7zFM.exe 47 PID 1628 wrote to memory of 1424 1628 7zFM.exe 47 PID 1628 wrote to memory of 560 1628 7zFM.exe 49 PID 1628 wrote to memory of 560 1628 7zFM.exe 49 PID 1628 wrote to memory of 560 1628 7zFM.exe 49
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Hotmail Checker.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC5623EA7\Start Checker.bat" "2⤵PID:2128
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56EB8A7\Start Checker.bat" "2⤵PID:2940
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56134A7\Start Checker.bat" "2⤵PID:2852
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC56237C7\keyword.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2572
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56C4158\Start Checker.bat" "2⤵PID:2988
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC560FC48\Start Checker.bat" "2⤵PID:1652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC5673948\Start Checker.bat" "2⤵PID:2860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56D4548\Start Checker.bat" "2⤵PID:2032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC5634148\Start Checker.bat" "2⤵PID:1760
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56D6B78\Start Checker.bat" "2⤵PID:1424
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC56B4678\Start Checker.bat" "2⤵PID:560
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD57cd830db1b8da52c0062cc6f260a9685
SHA1ed401d18b0095fc94e4809b7d1ff433dd05697f4
SHA256d3347618ea5777b3d58e2005afbebe1e9d484405919333f41bc0ddb189261758
SHA512c735b66dc15a37221b65e9350115db78ee55cb3ef11f401bc9f744be2b1283a16937d62ca8344c071febd6ddd4ccf924b001bbb79a5d03519bf49328264ae097