be6ac2cd293e28b25337d64551f8893d97068cef5c3fd012fb0e133073f64f7b

General

Target

privatools-files.rar
Size

81.6MB
MD5

98c2ceda9dbf52164fff822da4cd21e8
SHA1

c4a454397bd1b3dbce114136aa15d02cf8fb3753
SHA256

be6ac2cd293e28b25337d64551f8893d97068cef5c3fd012fb0e133073f64f7b
SHA512

c17dfad8109b5df9da6d34083526e8a3954c132d2b07b608baf3d3f6f5f9568208804e67f82cb28553a372d564ad088a931dc97b606189e3c9e643891f85e7db
SSDEEP

1572864:3XKdIwet6E4RetXLvBZ757eNB6sYjEA62g0+8WI7c0OUjPU4SK16TxfRKpSJ:36dIwet63c9vBd5M0ZSF0+KwPUjPLRmf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2700	loader.exe
2448	load.exe
2532	loader.exe
1436	loader.exe
2192	Stub.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	loader.exe
2700	loader.exe
2532	loader.exe
1436	loader.exe
2448	load.exe
2192	Stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1544	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1544	7zFM.exe
Token: 35	1544	7zFM.exe
Token: SeSecurityPrivilege	1544	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1544	7zFM.exe
1544	7zFM.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2700	1544	7zFM.exe	29
PID 1544 wrote to memory of 2700	1544	7zFM.exe	29
PID 1544 wrote to memory of 2700	1544	7zFM.exe	29
PID 2700 wrote to memory of 2448	2700	loader.exe	30
PID 2700 wrote to memory of 2448	2700	loader.exe	30
PID 2700 wrote to memory of 2448	2700	loader.exe	30
PID 2700 wrote to memory of 2532	2700	loader.exe	31
PID 2700 wrote to memory of 2532	2700	loader.exe	31
PID 2700 wrote to memory of 2532	2700	loader.exe	31
PID 2532 wrote to memory of 1436	2532	loader.exe	33
PID 2532 wrote to memory of 1436	2532	loader.exe	33
PID 2532 wrote to memory of 1436	2532	loader.exe	33
PID 2448 wrote to memory of 2192	2448	load.exe	34
PID 2448 wrote to memory of 2192	2448	load.exe	34
PID 2448 wrote to memory of 2192	2448	load.exe	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\privatools-files.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\7zO806BE527\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO806BE527\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\load.exe
    "C:\Users\Admin\AppData\Roaming\load.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2448_133817891350704000\Stub.exe
      C:\Users\Admin\AppData\Roaming\load.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2192
- - C:\Users\Admin\AppData\Roaming\loader.exe
    "C:\Users\Admin\AppData\Roaming\loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2532_133817891353668000\loader.exe
      "C:\Users\Admin\AppData\Roaming\loader.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO806BE527\loader.exe

Filesize
43.8MB

MD5
b24f88f0db403ac11a78716ff320deb4

SHA1
9c8d20371469ea36e3587b7ab63f523b8bfd4648

SHA256
2fc809e60498653ef870494366d1d633eed8244332f6bdb14aefaeef1032db44

SHA512
7ca0790b1413d55e623157de8cdd7542d1cd78bd0464cf71c66f617a4332dbf6bb9e8cc2ac01cd70cbd342e995504f96dac38368a17979ce256a0b4724725c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2448_133817891350704000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2532_133817891353668000\loader.exe

Filesize
8.5MB

MD5
25c312f4da3222a68d209c91945adda8

SHA1
25cfa08c17e2c97e61bd4819a3f4aac03f80ddf5

SHA256
1fb6e99be149836379a93738c525c809cd30bda46330a49a3601c8e9b3372aba

SHA512
aba55518bedda5bdec190635e100ef1cea6e9823ff0ecfbad742aa603270e4da39e2a1fe8df3beebcc633b362d0c61738bcf5003a6145fd5d68f5e2313df5382

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2532_133817891353668000\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
\Users\Admin\AppData\Roaming\load.exe

Filesize
38.5MB

MD5
b72ffc0e6d94d011ddad9018285049e6

SHA1
77c84dab48fa2fc633fde8ad8675900e48209839

SHA256
09b5cbb3c2ac46e0ed298bed4ff08b87ea437dd13b71883b1b087b0a0bdb7f6d

SHA512
6da0259e6eb89ce1187f9531c6eabd023215e12077dccffffa72172571cb991a5146f3964c696cb419fdd3cc89306bfaf20db80a96d4ef0a8206dce3d24bbc3e

Download Submit
\Users\Admin\AppData\Roaming\loader.exe

Filesize
5.3MB

MD5
8106fe1bba482da9cf1436a1fac73230

SHA1
2eea03f71155c437875d00a9c8de052689dcb824

SHA256
c5e0a4e8bcb73aa7b6da814ac986d07836f87aa70af84620087eaa8ccb680ff7

SHA512
a98e7452ecbf0a4493da4d471b719f5c2e88d0526a9b1a9ac7ed3eda1c131401184c425f3b858d588e2b75d5747e47671e7a4d2f04c8071d847f9721dc19bdad

Download Submit
memory/2192-112-0x000000013F990000-0x00000001453CF000-memory.dmp

Filesize
90.2MB

Download
memory/2448-111-0x000000013F1E0000-0x0000000141887000-memory.dmp

Filesize
38.7MB

Download
memory/2700-11-0x0000000000CB0000-0x0000000003882000-memory.dmp

Filesize
43.8MB

Download

Analysis

Sharing