Analysis
-
max time kernel
56s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-12-2024 17:28
Behavioral task
behavioral1
Sample
Nueva carpeta.rar
Resource
win11-20241007-en
windows11-21h2-x64
8 signatures
150 seconds
General
-
Target
Nueva carpeta.rar
-
Size
283.5MB
-
MD5
9c2ead201a1337bed740e5a7dd688039
-
SHA1
65a69bbf98216d141287903359ee606d3867d8f6
-
SHA256
ab78cc9b59a6e911f8e0fb608e1b22af481b44a49c765ecd68c4eddd576eb424
-
SHA512
4f1f386335fbf96d5272db224eb2367df4d93f5edc76f9e82b70b297cc4645e3cbf235a3e2d652bd404b5e1984ee7e0a1d7e6cff6e971755eb1983ce69ce7ce0
-
SSDEEP
6291456:3filrknPM1k8M45ydxCNqlj8q3lNBykkRm0yP8Skm1:3LPzTd0clXd78M
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3564 Oxyco_Android_Pro_v3_Cracked.exe 820 Oxyco_Android_Pro_v3_Cracked.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2848 3564 WerFault.exe 80 3828 820 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oxyco_Android_Pro_v3_Cracked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oxyco_Android_Pro_v3_Cracked.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 2664 7zFM.exe Token: 35 2664 7zFM.exe Token: SeSecurityPrivilege 2664 7zFM.exe Token: SeDebugPrivilege 244 taskmgr.exe Token: SeSystemProfilePrivilege 244 taskmgr.exe Token: SeCreateGlobalPrivilege 244 taskmgr.exe Token: 33 244 taskmgr.exe Token: SeIncBasePriorityPrivilege 244 taskmgr.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 2664 7zFM.exe 2664 7zFM.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe 244 taskmgr.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nueva carpeta.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2664
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4912
-
C:\Users\Admin\Desktop\Nueva carpeta\Oxyco_Android_Pro_v3_Cracked.exe"C:\Users\Admin\Desktop\Nueva carpeta\Oxyco_Android_Pro_v3_Cracked.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 8122⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3564 -ip 35641⤵PID:5088
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:244
-
C:\Users\Admin\Desktop\Nueva carpeta\Oxyco_Android_Pro_v3_Cracked.exe"C:\Users\Admin\Desktop\Nueva carpeta\Oxyco_Android_Pro_v3_Cracked.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 7842⤵
- Program crash
PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 820 -ip 8201⤵PID:1972