Overview
overview
10Static
static
10AQUA PREMIUM (1).rar
windows7-x64
7AQUA PREMIUM (1).rar
windows10-2004-x64
1AQUA PREMI...of.exe
windows7-x64
7AQUA PREMI...of.exe
windows10-2004-x64
8��M̵L�.pyc
windows7-x64
��M̵L�.pyc
windows10-2004-x64
Respoof.cmd
windows7-x64
1Respoof.cmd
windows10-2004-x64
1first.reg
windows7-x64
1first.reg
windows10-2004-x64
1Analysis
-
max time kernel
58s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 09:03
Behavioral task
behavioral1
Sample
AQUA PREMIUM (1).rar
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AQUA PREMIUM (1).rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AQUA PREMIUM Spoof.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
AQUA PREMIUM Spoof.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
��M̵L�.pyc
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
��M̵L�.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Respoof.cmd
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Respoof.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
first.reg
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
first.reg
Resource
win10v2004-20241007-en
General
-
Target
AQUA PREMIUM (1).rar
-
Size
5.8MB
-
MD5
f71e4dec9ba49a0996f577257ec31ed8
-
SHA1
55c9af15d1c9e55f8966d819a623b225fd06f5cc
-
SHA256
05266a1e82541f3908c2acdb6596791f842c4f483546e89cd52c22bb67a3f0f5
-
SHA512
113ff3f29821ea93c71dd32854714caf8efec9ea6f6e78f39254f44358bf6cfab40984d6c72e4951156c03233bbac0a6de748e94459d3ac5ddc91cbb875c9ec7
-
SSDEEP
98304:WoJ7oTgg90I9kbDh3D6cRxeqmN06/JGq46iZ1XNSNxCIH8GYwCudG8pUT0u/:Wopozd9ADpDWNeAJHADSrMw5ju/
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2344 AQUA PREMIUM Spoof.exe 2880 AQUA PREMIUM Spoof.exe 2800 AQUA PREMIUM Spoof.exe 2740 AQUA PREMIUM Spoof.exe 1424 AQUA PREMIUM Spoof.exe 1740 AQUA PREMIUM Spoof.exe -
Loads dropped DLL 14 IoCs
pid Process 2156 7zFM.exe 2344 AQUA PREMIUM Spoof.exe 2880 AQUA PREMIUM Spoof.exe 1200 Process not Found 1200 Process not Found 2156 7zFM.exe 2800 AQUA PREMIUM Spoof.exe 2740 AQUA PREMIUM Spoof.exe 1200 Process not Found 2156 7zFM.exe 1424 AQUA PREMIUM Spoof.exe 1740 AQUA PREMIUM Spoof.exe 1200 Process not Found 1200 Process not Found -
resource yara_rule behavioral1/files/0x0006000000016de8-31.dat upx behavioral1/memory/2880-33-0x000007FEF6280000-0x000007FEF66E6000-memory.dmp upx behavioral1/memory/2740-69-0x000007FEF6280000-0x000007FEF66E6000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2156 7zFM.exe 2156 7zFM.exe 1960 powershell.exe 2156 7zFM.exe 2156 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2156 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2156 7zFM.exe Token: 35 2156 7zFM.exe Token: SeSecurityPrivilege 2156 7zFM.exe Token: SeSecurityPrivilege 2156 7zFM.exe Token: SeSecurityPrivilege 2156 7zFM.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeSecurityPrivilege 2156 7zFM.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2156 7zFM.exe 2156 7zFM.exe 2156 7zFM.exe 2156 7zFM.exe 2156 7zFM.exe 2156 7zFM.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2344 2156 7zFM.exe 30 PID 2156 wrote to memory of 2344 2156 7zFM.exe 30 PID 2156 wrote to memory of 2344 2156 7zFM.exe 30 PID 2344 wrote to memory of 2880 2344 AQUA PREMIUM Spoof.exe 31 PID 2344 wrote to memory of 2880 2344 AQUA PREMIUM Spoof.exe 31 PID 2344 wrote to memory of 2880 2344 AQUA PREMIUM Spoof.exe 31 PID 2156 wrote to memory of 2800 2156 7zFM.exe 32 PID 2156 wrote to memory of 2800 2156 7zFM.exe 32 PID 2156 wrote to memory of 2800 2156 7zFM.exe 32 PID 2800 wrote to memory of 2740 2800 AQUA PREMIUM Spoof.exe 34 PID 2800 wrote to memory of 2740 2800 AQUA PREMIUM Spoof.exe 34 PID 2800 wrote to memory of 2740 2800 AQUA PREMIUM Spoof.exe 34 PID 2156 wrote to memory of 1708 2156 7zFM.exe 35 PID 2156 wrote to memory of 1708 2156 7zFM.exe 35 PID 2156 wrote to memory of 1708 2156 7zFM.exe 35 PID 1708 wrote to memory of 1960 1708 cmd.exe 37 PID 1708 wrote to memory of 1960 1708 cmd.exe 37 PID 1708 wrote to memory of 1960 1708 cmd.exe 37 PID 2156 wrote to memory of 1424 2156 7zFM.exe 38 PID 2156 wrote to memory of 1424 2156 7zFM.exe 38 PID 2156 wrote to memory of 1424 2156 7zFM.exe 38 PID 1424 wrote to memory of 1740 1424 AQUA PREMIUM Spoof.exe 39 PID 1424 wrote to memory of 1740 1424 AQUA PREMIUM Spoof.exe 39 PID 1424 wrote to memory of 1740 1424 AQUA PREMIUM Spoof.exe 39
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AQUA PREMIUM (1).rar"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\7zOC68A86A6\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68A86A6\AQUA PREMIUM Spoof.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\7zOC68A86A6\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68A86A6\AQUA PREMIUM Spoof.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC68D6BD6\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68D6BD6\AQUA PREMIUM Spoof.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\7zOC68D6BD6\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68D6BD6\AQUA PREMIUM Spoof.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC68EEAE6\Respoof.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell "Disable-MMAgent -MemoryCompression"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC68C5667\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68C5667\AQUA PREMIUM Spoof.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\7zOC68C5667\AQUA PREMIUM Spoof.exe"C:\Users\Admin\AppData\Local\Temp\7zOC68C5667\AQUA PREMIUM Spoof.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5a64d3a4c1d61344273de4e3f2dd3b652
SHA1245859a286db226f15a0c8c51c9b71f31ea1b79a
SHA2566f4b8912c0f77f2e589e8fed98246680bdd01a442f91729ce15ee812b8f4d50e
SHA512e564799596d11b71590569f8c7b31fe7446cabc2dc6bc423308edf7ad2fcb74cbc621891cc594a6b2ebc8320600d0ca2530e92042477246914c55f369d2856cb
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
5.9MB
MD547911cfecd3dcd8b505235dd9b187992
SHA19c874cead1208b3b77f0ae535d07522629e6e676
SHA2563aac1ef0cd3825fbb753199f1fe31430f4aba354cc4fb8e7db74b63ac8f7efdf
SHA512cac06ffeb06e83c2e0a4c98512dde8292c2800a35a4653621e6cdd2877293381ebf7f773456974b4181838e98916ff9a6c6d5ec2ec145398cfddbb2668889eec