Resubmissions
14-02-2025 01:10
250214-bjsnnayne1 1014-02-2025 01:00
250214-bc5pmsymhw 1013-02-2025 05:01
250213-fnkwtstpgw 1013-02-2025 04:24
250213-e1kk6atmaz 1013-02-2025 04:08
250213-eqe8patkgx 812-02-2025 23:56
250212-3yzt3azrdx 1012-02-2025 23:44
250212-3rgd5szmbm 1012-02-2025 23:19
250212-3a9dlazkep 1012-02-2025 13:32
250212-qs211ssrfr 10Analysis
-
max time kernel
77s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-11-2024 23:06
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.zip
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
New Text Document mod.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
New Text Document mod.exe
Resource
win11-20241007-en
General
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3496 7zFM.exe 4464 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3496 7zFM.exe Token: 35 3496 7zFM.exe Token: SeSecurityPrivilege 3496 7zFM.exe Token: SeSecurityPrivilege 3496 7zFM.exe Token: SeSecurityPrivilege 3496 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3496 7zFM.exe 3496 7zFM.exe 3496 7zFM.exe 3496 7zFM.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 4464 OpenWith.exe 2316 AcroRd32.exe 2316 AcroRd32.exe 2316 AcroRd32.exe 2316 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 2316 4464 OpenWith.exe 83 PID 4464 wrote to memory of 2316 4464 OpenWith.exe 83 PID 4464 wrote to memory of 2316 4464 OpenWith.exe 83 PID 2316 wrote to memory of 3860 2316 AcroRd32.exe 86 PID 2316 wrote to memory of 3860 2316 AcroRd32.exe 86 PID 2316 wrote to memory of 3860 2316 AcroRd32.exe 86 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 4612 3860 RdrCEF.exe 87 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88 PID 3860 wrote to memory of 2732 3860 RdrCEF.exe 88
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:240
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\JoinRename.7z"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=069BC18C815F17DD30D69B5EBEF3A2D9 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2023F6D37B33C4E55249D561C0BF158F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2023F6D37B33C4E55249D561C0BF158F --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DBF0F1DAFB6FE3CD2119A7D057ECB2F8 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BAFBD602742FEF13822811A22A83CC7E --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8A9C4B98F3328C99471149682C43EFEE --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3652