Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 18:08
Static task
static1
Behavioral task
behavioral1
Sample
excellent.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
excellent.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
excellent.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
excellent.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
libGLESv2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
updater.ini
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
updater.ini
Resource
win10v2004-20240226-en
General
-
Target
excellent.rar
-
Size
8.2MB
-
MD5
74390a2247fd11601ddbe918121b2a2a
-
SHA1
67986feefd597389e1fc1d8386af318100f446a2
-
SHA256
0a31cb7d5b2cdaec7287a6e3a9338f7da9922b85693d5111aa50ec43dde3d3de
-
SHA512
05be574b9b39197e7da11949a9e8d8d07eefffcdd91b26127356e53f0952c03d8e5668b9bffc3fefe8b67ea35fdc292c70275981312b7516afd11dd4f87ace9f
-
SSDEEP
196608:tDT22I/nk9psflVIhoFaTQRn4gE+trIghtZmUmvBH:tDLI/nYUlVJRBDEgrIgh6Xvd
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 2784 mspaint.exe 2784 mspaint.exe 2784 mspaint.exe 2784 mspaint.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2424 wrote to memory of 1156 2424 cmd.exe rundll32.exe PID 2424 wrote to memory of 1156 2424 cmd.exe rundll32.exe PID 2424 wrote to memory of 1156 2424 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\excellent.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\excellent.rar2⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OutPing.emf"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx