916f1b6644b58d164c74b9d5ac14798f1c27958149effdbd85b95709b0d2ad6d

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZL3HV_TWEAKNVDIA.exe
Size

11.4MB
MD5

3507038edf6b4f164c5149f39cff11b0
SHA1

720cae8b2c67d7526837f1fd3a44cbcf80ae6dd5
SHA256

916f1b6644b58d164c74b9d5ac14798f1c27958149effdbd85b95709b0d2ad6d
SHA512

c420055bfe38ae687e897ea8e5fba7cf2821ccae21819eb6ce92901b940539c107a2c8ee5c987ce07ebc060b3a008752ea5946a01cc56e45a8937da4c6be73ef
SSDEEP

196608:EG9LuhOZDB08T3uPqG4d1/1wKEIs52FykwcAFRrj5H8o99skweFOGXdaAPj:Lk2DPTX/Ts5JPfrN9s5eFOGoyj

Score

7^/10

discovery execution pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2844	Update.exe
2648	Update.exe
1388	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
1656	ZL3HV_TWEAKNVDIA.exe
2844	Update.exe
2648	Update.exe
1388	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4c5-63.dat	upx
behavioral1/memory/2648-65-0x000007FEF67C0000-0x000007FEF6DA8000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
1320	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000017530-11.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZL3HV_TWEAKNVDIA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	powershell.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2288	1656	ZL3HV_TWEAKNVDIA.exe	30
PID 1656 wrote to memory of 2288	1656	ZL3HV_TWEAKNVDIA.exe	30
PID 1656 wrote to memory of 2288	1656	ZL3HV_TWEAKNVDIA.exe	30
PID 1656 wrote to memory of 2288	1656	ZL3HV_TWEAKNVDIA.exe	30
PID 1656 wrote to memory of 2844	1656	ZL3HV_TWEAKNVDIA.exe	32
PID 1656 wrote to memory of 2844	1656	ZL3HV_TWEAKNVDIA.exe	32
PID 1656 wrote to memory of 2844	1656	ZL3HV_TWEAKNVDIA.exe	32
PID 1656 wrote to memory of 2844	1656	ZL3HV_TWEAKNVDIA.exe	32
PID 2288 wrote to memory of 2840	2288	cmd.exe	33
PID 2288 wrote to memory of 2840	2288	cmd.exe	33
PID 2288 wrote to memory of 2840	2288	cmd.exe	33
PID 2288 wrote to memory of 2840	2288	cmd.exe	33
PID 2288 wrote to memory of 2668	2288	cmd.exe	35
PID 2288 wrote to memory of 2668	2288	cmd.exe	35
PID 2288 wrote to memory of 2668	2288	cmd.exe	35
PID 2288 wrote to memory of 2668	2288	cmd.exe	35
PID 2844 wrote to memory of 2648	2844	Update.exe	34
PID 2844 wrote to memory of 2648	2844	Update.exe	34
PID 2844 wrote to memory of 2648	2844	Update.exe	34
PID 2668 wrote to memory of 2728	2668	cmd.exe	36
PID 2668 wrote to memory of 2728	2668	cmd.exe	36
PID 2668 wrote to memory of 2728	2668	cmd.exe	36
PID 2668 wrote to memory of 2728	2668	cmd.exe	36
PID 2668 wrote to memory of 1440	2668	cmd.exe	37
PID 2668 wrote to memory of 1440	2668	cmd.exe	37
PID 2668 wrote to memory of 1440	2668	cmd.exe	37
PID 2668 wrote to memory of 1440	2668	cmd.exe	37
PID 2288 wrote to memory of 3048	2288	cmd.exe	38
PID 2288 wrote to memory of 3048	2288	cmd.exe	38
PID 2288 wrote to memory of 3048	2288	cmd.exe	38
PID 2288 wrote to memory of 3048	2288	cmd.exe	38
PID 2288 wrote to memory of 1320	2288	cmd.exe	39
PID 2288 wrote to memory of 1320	2288	cmd.exe	39
PID 2288 wrote to memory of 1320	2288	cmd.exe	39
PID 2288 wrote to memory of 1320	2288	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\ZL3HV_TWEAKNVDIA.exe
"C:\Users\Admin\AppData\Local\Temp\ZL3HV_TWEAKNVDIA.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\fltMC.exe
    fltmc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "REG_SZ"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat

Filesize
201KB

MD5
061be0f53c7febeb3e363c867b9c128d

SHA1
3629f358e24dddc04c05fdd4b9899f57a8091286

SHA256
58729cdacc6ce4ea7e168a598fd3e29a1d3d017adbf85badbfb6de818b0de45c

SHA512
d1c520e4565ed492f312e8fe611913f013fe2e05539e42f9185271e8a811b50af8a1cd2e5445959c068c5d4adf1633c06d6a387d3b6cb1fa5c5fa84faff31e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5e25e88f4b8f5e8b60036688f7c094be

SHA1
0c7b2b31034ed2afcd2115e50a7bc76832e2bb95

SHA256
33aa296e35f3bcde75b46b09ae1c4e8afe2cac621d809f0634dbcc0ac1a6adf4

SHA512
f089d60eb25b8b420297b2cc21d2608daf1104cfec030f05af7efaddd173ad7cd92374f8749ef9fb350c07a65f5b97314c170509631a21c3e4882eaa1c68d261

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
10.8MB

MD5
325bc1091d3aa90371df0e8f9095ab63

SHA1
28084aa70ddd36fe43e9c2078c5438c5048ab0cb

SHA256
097826ecce3278e1da5f0bee44a75a35ef38ca4c56e1f64c43a40c7b47cd9c17

SHA512
3f67b1bd376f3246900be4c7324e82cc71b3c890a87b76c51ea282d8f04db615435152063405c5ed402c88f44ef75b4c0f4260dd958044f96fb7775b11634996

Download Submit
memory/2648-65-0x000007FEF67C0000-0x000007FEF6DA8000-memory.dmp

Filesize
5.9MB

Download