Overview
overview
10Static
static
10Pvt Hooks.rar
windows7-x64
7Pvt Hooks.rar
windows10-2004-x64
8Pvt Hooks/Read.txt
windows7-x64
1Pvt Hooks/Read.txt
windows10-2004-x64
1Pvt Hooks/...us.dll
windows7-x64
1Pvt Hooks/...us.dll
windows10-2004-x64
1Pvt Hooks/...or.exe
windows7-x64
7Pvt Hooks/...or.exe
windows10-2004-x64
8.pyc
windows7-x64
3.pyc
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/11/2024, 06:10
Behavioral task
behavioral1
Sample
Pvt Hooks.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Pvt Hooks.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Pvt Hooks/Read.txt
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Pvt Hooks/Read.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Pvt Hooks/ascendhookopus.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Pvt Hooks/ascendhookopus.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Pvt Hooks/injector.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Pvt Hooks/injector.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
.pyc
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
.pyc
Resource
win10v2004-20241007-en
General
-
Target
Pvt Hooks.rar
-
Size
7.3MB
-
MD5
f2f2bc99451966cbe5d3eac82d04c192
-
SHA1
91ecfd21be0f9df10ace16606a8e83063d20aece
-
SHA256
899517a9868cd13a0598c60129bc8050a0d5afc6259c9108a59c8a7f26a1e2ed
-
SHA512
39dfd96ceb1fb11745ed51b6ee0085a4dd94a563490e5ee4b313838615c373de282b75247eefcfaf1d514d5bcf3336783832046e216ed8adf69cfadde4bb63a5
-
SSDEEP
196608:EXHOAPIky5foxxnbmG5B5oMzdt5CmfdTyb/XE:EXOAxJ3nCqhzZfd+r0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2496 injector.exe 2884 injector.exe -
Loads dropped DLL 5 IoCs
pid Process 2508 7zFM.exe 2496 injector.exe 2884 injector.exe 1204 Process not Found 1204 Process not Found -
resource yara_rule behavioral1/files/0x0006000000016c89-31.dat upx behavioral1/memory/2884-33-0x000007FEF57A0000-0x000007FEF5E70000-memory.dmp upx behavioral1/memory/2884-36-0x000007FEF57A0000-0x000007FEF5E70000-memory.dmp upx -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2508 7zFM.exe 2884 injector.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2508 7zFM.exe Token: 35 2508 7zFM.exe Token: SeSecurityPrivilege 2508 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2508 7zFM.exe 2508 7zFM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2496 2508 7zFM.exe 30 PID 2508 wrote to memory of 2496 2508 7zFM.exe 30 PID 2508 wrote to memory of 2496 2508 7zFM.exe 30 PID 2496 wrote to memory of 2884 2496 injector.exe 31 PID 2496 wrote to memory of 2884 2496 injector.exe 31 PID 2496 wrote to memory of 2884 2496 injector.exe 31
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Pvt Hooks.rar"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\7zOCC98AA96\injector.exe"C:\Users\Admin\AppData\Local\Temp\7zOCC98AA96\injector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\7zOCC98AA96\injector.exe"C:\Users\Admin\AppData\Local\Temp\7zOCC98AA96\injector.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2884
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD586d9b8b15b0340d6ec235e980c05c3be
SHA1a03bdd45215a0381dcb3b22408dbc1f564661c73
SHA25612dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6
SHA512d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2
-
Filesize
7.5MB
MD55ac349d31df2f8659f3cbafb6c364d63
SHA16b897500c22044917fae28b0bfacdf06fb2c9a81
SHA25638fe07cf164f35010e97497f66a0435b77b625e69a4c211c8c3b111c4afedf5a
SHA512dea18006743d2e2abfd647f43d24e263aa3725eed1e61b53610fa4f85b7882aced03122dfb7c002e78930772a264befe03568404b62ca50cf290f4734bcf7bb2