1018ad28adc4c368308ed52fbb9d82337b581d7191aa0c11f428ef00c977100c

Resubmissions

12-12-2024 18:25

241212-w2m64ssngw 10

10-12-2024 17:57

241210-wjmsmaxjhj 10

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.zip
Size

30.1MB
MD5

b92085c896b23aa3614ba281a36c21ca
SHA1

e8c86707789cd46f491a3a3c2ee1ffab047a9d27
SHA256

1018ad28adc4c368308ed52fbb9d82337b581d7191aa0c11f428ef00c977100c
SHA512

9503ee0b2960c1bc92ed922daabd16fd67347139e052fc6bf746b04e8a9d3b9bdb39dc5f1d94a7d61b4c43f0b4f0d59c363e7852984dff63b479eee136799b6d
SSDEEP

786432:2CAHAeVeAeUfBNad2W1f8k70+1fHAAeQL6tCTYJ8a:2DHAq5eUDw2W1Uk0+1fTKCsB

Score

7^/10

discovery pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2700	test.exe
3036	test.exe

Loads dropped DLL 12 IoCs

pid	Process
2172	7zFM.exe
2700	test.exe
3036	test.exe
3036	test.exe
3036	test.exe
3036	test.exe
3036	test.exe
3036	test.exe
3036	test.exe
1192	Process not Found
1192	Process not Found
2172	7zFM.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020aa7-1219.dat	upx
behavioral1/memory/3036-1221-0x000007FEF5770000-0x000007FEF5DD5000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000016d66-4.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2172	7zFM.exe
3036	test.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2172	7zFM.exe
Token: 35	2172	7zFM.exe
Token: SeSecurityPrivilege	2172	7zFM.exe
Token: SeSecurityPrivilege	2172	7zFM.exe
Token: SeSecurityPrivilege	2172	7zFM.exe
Token: SeSecurityPrivilege	2172	7zFM.exe
Token: SeSecurityPrivilege	2172	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2172	7zFM.exe
2172	7zFM.exe
2172	7zFM.exe
2172	7zFM.exe
2172	7zFM.exe
1984	wmplayer.exe
2172	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2700	2172	7zFM.exe	30
PID 2172 wrote to memory of 2700	2172	7zFM.exe	30
PID 2172 wrote to memory of 2700	2172	7zFM.exe	30
PID 2700 wrote to memory of 3036	2700	test.exe	31
PID 2700 wrote to memory of 3036	2700	test.exe	31
PID 2700 wrote to memory of 3036	2700	test.exe	31
PID 1984 wrote to memory of 1848	1984	wmplayer.exe	36
PID 1984 wrote to memory of 1848	1984	wmplayer.exe	36
PID 1984 wrote to memory of 1848	1984	wmplayer.exe	36
PID 1984 wrote to memory of 1848	1984	wmplayer.exe	36

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\test.zip"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\7zOC783F5B6\test.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC783F5B6\test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\7zOC783F5B6\test.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC783F5B6\test.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1040

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files (x86)\Windows Media Player\wmpshare.exe
  "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{538CFEEF-EFD7-498D-A005-15FAB08DB426}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{C86C341C-83EF-42FF-B417-850AE5E3A94E}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC783F5B6\test.exe

Filesize
30.3MB

MD5
3a2e61b5e8cfcecb121e9fe2f58ca2b5

SHA1
db8f25c7952d357c05c2cc16fa50f0458e820ce3

SHA256
2c2aa42eb7f6677f6c19b62370a96acfaa919582d07cabeac74770efc8bb488a

SHA512
4c7036898179a0b4a383a246066f25b1fea371d82734ee864a0e67d1ad553111e8d599821cde830f7a92049236b8819aeebd15be8995040a2648574b9eebe30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\api-ms-win-core-file-l1-2-0.dll

Filesize
20KB

MD5
d92e6a007fc22a1e218552ebfb65da93

SHA1
3c9909332e94f7b7386664a90f52730f4027a75a

SHA256
03bd3217eae0ef68521b39556e7491292db540f615da873dd8da538693b81862

SHA512
b8b0e6052e68c08e558e72c168e4ff318b1907c4dc5fc1cd1104f5cae7cc418293013dabbb30c835a5c35a456e1cb22cc352b7ae40f82b9b7311bb7419d854c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
de5695f26a0bcb54f59a8bc3f9a4ecef

SHA1
99c32595f3edc2c58bdb138c3384194831e901d6

SHA256
e9539fce90ad8be582b25ab2d5645772c2a5fb195e602ecdbf12b980656e436a

SHA512
df635d5d51cdea24885ae9f0406f317ddcf04ecb6bfa26579bb2e256c457057607844ded4b52ff1f5ca25abe29d1eb2b20f1709cf19035d3829f36bbe31f550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
20KB

MD5
74c264cffc09d183fcb1555b16ea7e4b

SHA1
0b5b08cdf6e749b48254ac811ca09ba95473d47c

SHA256
a8e2fc077d9a7d2faa85e1e6833047c90b22c6086487b98fc0e6a86b7bf8bf09

SHA512
285afbcc39717510ced2ed096d9f77fc438268ecaa59cff3cf167fcc538e90c73c67652046b0ee379e0507d6e346af79d43c51a571c6dd66034f9385a73d00d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\api-ms-win-core-timezone-l1-1-0.dll

Filesize
20KB

MD5
cb39eea2ef9ed3674c597d5f0667b5b4

SHA1
c133dc6416b3346fa5b0f449d7cc6f7dbf580432

SHA256
1627b921934053f1f7d2a19948aee06fac5db8ee8d4182e6f071718d0681f235

SHA512
2c65014dc045a2c1e5f52f3fea4967d2169e4a78d41fe56617ce9a4d5b30ebf25043112917ff3d7d152744ddef70475937ae0a7f96785f97dcefafe8e6f14d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\python313.dll

Filesize
1.8MB

MD5
13e0653e90a091bde333f7e652ac6f8b

SHA1
130f3271120487b4aac482af56f4de6673aaaeda

SHA256
a89f9220c5afcb81b9a91f00b3bea9ed21ebd2cbae00785cbc2db264d90c862c

SHA512
ad513df8f9a53cb3a8e5bc430a977c4079e7d7547fce43fe29288988ee458ff2ea922eb979582fe4c276e58cd6ef8d771bf6535170554b82c5d54d87caaf5366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27002\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf780992.TMP

Filesize
1KB

MD5
08a40687648b074ab9828b23ea0a4916

SHA1
cf0d358cf8d589694e3c777fb1871a5cdd8acd43

SHA256
dc9532f6c37c5a4994df89693c4940a4fcb286ec331e3022ee0393a5518ff3bd

SHA512
a32ba0812beb2ec0c49dad9a20256bf65cc3f30d24edcfe335b5308e5f99cd409b58d616f563dba4f01af7b45d1ed364546ec9e365de42504e9e2dc72384a5f4

Download Submit
memory/3036-1221-0x000007FEF5770000-0x000007FEF5DD5000-memory.dmp

Filesize
6.4MB

Download