81053453319c898a7e808c8d02ac82df57d582a69e7d0a6b71bc0ca3702cf1c7

Analysis

max time kernel
14s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch.exe
Size

7.8MB
MD5

3a850db4850dd41e9525ac90d8a8b747
SHA1

2334e46413dddb83b67c4f876e0cb273b8ec061b
SHA256

81053453319c898a7e808c8d02ac82df57d582a69e7d0a6b71bc0ca3702cf1c7
SHA512

2504a7f4f56be35a4561e116738415d5819091d86143ef5da42f62b712a338c4b63799a8fdbbc21f7b68a67f78c47531b032e801493b11c9f0b381d486568f47
SSDEEP

196608:ThYJw5gF/9+zgr0ol1xaw6oXsBcvvxNR0ZCRQzKVBnKEb+RFLTA:T6J7/9+zgrD51qCRQOPgFL8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4312	7z2201.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1520	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\is.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lij.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lij.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ko.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\pt.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sa.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\si.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.dll	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ast.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tg.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bg.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2201.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3096	WMIC.exe
Token: SeSecurityPrivilege	3096	WMIC.exe
Token: SeTakeOwnershipPrivilege	3096	WMIC.exe
Token: SeLoadDriverPrivilege	3096	WMIC.exe
Token: SeSystemProfilePrivilege	3096	WMIC.exe
Token: SeSystemtimePrivilege	3096	WMIC.exe
Token: SeProfSingleProcessPrivilege	3096	WMIC.exe
Token: SeIncBasePriorityPrivilege	3096	WMIC.exe
Token: SeCreatePagefilePrivilege	3096	WMIC.exe
Token: SeBackupPrivilege	3096	WMIC.exe
Token: SeRestorePrivilege	3096	WMIC.exe
Token: SeShutdownPrivilege	3096	WMIC.exe
Token: SeDebugPrivilege	3096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3096	WMIC.exe
Token: SeRemoteShutdownPrivilege	3096	WMIC.exe
Token: SeUndockPrivilege	3096	WMIC.exe
Token: SeManageVolumePrivilege	3096	WMIC.exe
Token: 33	3096	WMIC.exe
Token: 34	3096	WMIC.exe
Token: 35	3096	WMIC.exe
Token: 36	3096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3096	WMIC.exe
Token: SeSecurityPrivilege	3096	WMIC.exe
Token: SeTakeOwnershipPrivilege	3096	WMIC.exe
Token: SeLoadDriverPrivilege	3096	WMIC.exe
Token: SeSystemProfilePrivilege	3096	WMIC.exe
Token: SeSystemtimePrivilege	3096	WMIC.exe
Token: SeProfSingleProcessPrivilege	3096	WMIC.exe
Token: SeIncBasePriorityPrivilege	3096	WMIC.exe
Token: SeCreatePagefilePrivilege	3096	WMIC.exe
Token: SeBackupPrivilege	3096	WMIC.exe
Token: SeRestorePrivilege	3096	WMIC.exe
Token: SeShutdownPrivilege	3096	WMIC.exe
Token: SeDebugPrivilege	3096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3096	WMIC.exe
Token: SeRemoteShutdownPrivilege	3096	WMIC.exe
Token: SeUndockPrivilege	3096	WMIC.exe
Token: SeManageVolumePrivilege	3096	WMIC.exe
Token: 33	3096	WMIC.exe
Token: 34	3096	WMIC.exe
Token: 35	3096	WMIC.exe
Token: 36	3096	WMIC.exe
Token: SeDebugPrivilege	1520	tasklist.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3900	3556	Patch.exe	86
PID 3556 wrote to memory of 3900	3556	Patch.exe	86
PID 3900 wrote to memory of 4312	3900	cmd.exe	88
PID 3900 wrote to memory of 4312	3900	cmd.exe	88
PID 3900 wrote to memory of 4312	3900	cmd.exe	88
PID 3900 wrote to memory of 4064	3900	cmd.exe	102
PID 3900 wrote to memory of 4064	3900	cmd.exe	102
PID 3900 wrote to memory of 3984	3900	cmd.exe	103
PID 3900 wrote to memory of 3984	3900	cmd.exe	103
PID 3900 wrote to memory of 2328	3900	cmd.exe	104
PID 3900 wrote to memory of 2328	3900	cmd.exe	104
PID 2328 wrote to memory of 3096	2328	cmd.exe	105
PID 2328 wrote to memory of 3096	2328	cmd.exe	105
PID 3900 wrote to memory of 4552	3900	cmd.exe	106
PID 3900 wrote to memory of 4552	3900	cmd.exe	106
PID 4552 wrote to memory of 1520	4552	cmd.exe	107
PID 4552 wrote to memory of 1520	4552	cmd.exe	107
PID 3900 wrote to memory of 2236	3900	cmd.exe	108
PID 3900 wrote to memory of 2236	3900	cmd.exe	108
PID 3900 wrote to memory of 2960	3900	cmd.exe	109
PID 3900 wrote to memory of 2960	3900	cmd.exe	109
PID 3900 wrote to memory of 4124	3900	cmd.exe	110
PID 3900 wrote to memory of 4124	3900	cmd.exe	110
PID 4124 wrote to memory of 2756	4124	cmd.exe	111
PID 4124 wrote to memory of 2756	4124	cmd.exe	111
PID 3900 wrote to memory of 3516	3900	cmd.exe	112
PID 3900 wrote to memory of 3516	3900	cmd.exe	112
PID 3516 wrote to memory of 376	3516	cmd.exe	113
PID 3516 wrote to memory of 376	3516	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4QOH6JI4.bat" "C:\Users\Admin\AppData\Local\Temp\Patch.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo ------ Program successfully licensed! ------ "
    3⤵
    PID:4064
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:2236
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4QOH6JI4.bat

Filesize
52KB

MD5
4e24355b61c72abed57ce9087ad75459

SHA1
ad2a70eaa999c60862e7d89ba4639a81b099b7c1

SHA256
f8f2a66e410a04d1d810074290378c232a4b2b11e5bbe1d868576c80318bfab7

SHA512
d8e7b740569ce87da37da3ac0822fcba9af6437bc8d20f883f96c9fc0ee00d53ed4e27ae44224b93efec27101ede50effb140015aa3266ccae8f513de703c194

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\cnf

Filesize
52B

MD5
8ef9e3800f3da4fe9ac22699b457e95b

SHA1
4f66d2f0f8c5c95b3b728a1a5e6deac269afcada

SHA256
1340e725f1e3c0ccdcb8fa5da3ab958d43731f6d5e158355f165490894922f32

SHA512
0a145f96034d1f277175840d3b080c2d934360c2a8258bbbda605c31f0dcb8fb81eb7800c034b0c8f4bd09c74102a73ecf5345d38b8bb24fddb86d526370d9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\jb.7z

Filesize
67KB

MD5
3056453b2ea9a7987180a0f7c6e0601d

SHA1
069178ea6b242cd326a2ca2b983816c412ea9307

SHA256
b572e1b4af12863e3444049875bc5fdfcf5b126f29938d4d1a46d3a473554c49

SHA512
8f86ec1ac4f6190c057816914648a448531f402a7b91dc956ec975a951bc95e52f3228984a5d3b1f609924f40fabe8d8f55f4ecf58db44f0ef94f42e95b0b425

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\jbk.7z

Filesize
7KB

MD5
e4e67d6f10c69cb29c4815a2ecda209f

SHA1
92eef38f4e992bc00df9d15ad13b244e8c0c407e

SHA256
52b7e3123089a575490bbd81342a10ad6aba22fc54c2a7d5e6d1fc421e99f60d

SHA512
92f08578a0998370f974ee90925f4f943eb7c039cf4d9ee7c9474a52ee9b1deebd3a8c792de1228f667b0b0cb13871dcfe19a81fa227e60d6efff788330a2d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE57612B.84\jjbb2.7z

Filesize
6.0MB

MD5
bcc8b5100b2c372c551f30bb6191ffaf

SHA1
5c98293d8b9eca244f499c0043824d8744adc209

SHA256
a590e1f8af79ff6285e2a278789fb8904034e5076b30b2a02f944851fce0a33c

SHA512
52b0dde7ef601af320dc8980e4a98a0edae1fed7a38113d7168dc347d8e3e1e2c0101c68e7408f12fc03471c1d53c9d0a203d83522fa5ed8ece0e517c8ff5009

Download Submit
memory/3556-230-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3556-235-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads