Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
Latest_Setup_1234_Pass.rar
Resource
win7-20220812-en
General
-
Target
Latest_Setup_1234_Pass.rar
-
Size
6.7MB
-
MD5
7eb5803eb4ceef294a77965cbfe08b15
-
SHA1
ab3e0092fcb570a0748dd9a373767abc41dccf9a
-
SHA256
4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9
-
SHA512
adf94da82ff4f7476555cd3fddb434f211ab8ed27a1616ca29250dbdc611faca28b7e5b5eb0609c73d68b697496cbfa25c1ab7a4ab3083f195c3f9d9803555fb
-
SSDEEP
196608:+MZrAnnXNLoTq1QFK60js3RzUfdUF96Siwuz:JrWP1QYtQxsdWy
Malware Config
Extracted
vidar
54.6
1281
https://t.me/parampampamsss
-
profile_id
1281
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 1608 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 364 vlc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Setup.exepid process 1608 Setup.exe 1608 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 364 vlc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7zG.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 1840 7zG.exe Token: 35 1840 7zG.exe Token: SeSecurityPrivilege 1840 7zG.exe Token: SeSecurityPrivilege 1840 7zG.exe Token: 33 1868 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1868 AUDIODG.EXE Token: 33 1868 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1868 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
vlc.exe7zG.exepid process 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 1840 7zG.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe 364 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 364 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1184 wrote to memory of 1108 1184 cmd.exe rundll32.exe PID 1184 wrote to memory of 1108 1184 cmd.exe rundll32.exe PID 1184 wrote to memory of 1108 1184 cmd.exe rundll32.exe PID 1108 wrote to memory of 364 1108 rundll32.exe vlc.exe PID 1108 wrote to memory of 364 1108 rundll32.exe vlc.exe PID 1108 wrote to memory of 364 1108 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\" -spe -an -ai#7zMap17926:124:7zEvent152631⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
memory/364-81-0x0000000000000000-mapping.dmp
-
memory/1108-76-0x0000000000000000-mapping.dmp
-
memory/1184-54-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmpFilesize
8KB
-
memory/1608-86-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1608-88-0x00000000000E0000-0x0000000000B7D000-memory.dmpFilesize
10.6MB
-
memory/1608-91-0x00000000000E0000-0x0000000000B7D000-memory.dmpFilesize
10.6MB