Analysis
-
max time kernel
624s -
max time network
614s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
Latest_Setup_1234_Pass.rar
Resource
win7-20220812-en
General
-
Target
Latest_Setup_1234_Pass.rar
-
Size
6.7MB
-
MD5
7eb5803eb4ceef294a77965cbfe08b15
-
SHA1
ab3e0092fcb570a0748dd9a373767abc41dccf9a
-
SHA256
4f9c751502c5a0f0783d4ce9e2dab195b4088e184037a2828a5d4ba0fcd098d9
-
SHA512
adf94da82ff4f7476555cd3fddb434f211ab8ed27a1616ca29250dbdc611faca28b7e5b5eb0609c73d68b697496cbfa25c1ab7a4ab3083f195c3f9d9803555fb
-
SSDEEP
196608:+MZrAnnXNLoTq1QFK60js3RzUfdUF96Siwuz:JrWP1QYtQxsdWy
Malware Config
Extracted
vidar
54.6
1281
https://t.me/parampampamsss
-
profile_id
1281
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Setup.exeSetup.exeSetup.exepid process 4548 Setup.exe 1044 Setup.exe 1132 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1120 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Setup.exeSetup.exeSetup.exepid process 4548 Setup.exe 4548 Setup.exe 4548 Setup.exe 4548 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1132 Setup.exe 1132 Setup.exe 1132 Setup.exe 1132 Setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 1916 7zG.exe Token: 35 1916 7zG.exe Token: SeSecurityPrivilege 1916 7zG.exe Token: SeSecurityPrivilege 1916 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1916 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 1452 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Latest_Setup_1234_Pass.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\" -spe -an -ai#7zMap14450:102:7zEvent116691⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\filework.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\Setup.exeFilesize
374.0MB
MD54b5a8b4c9509f42358d2109a5744b0ec
SHA1c4f017ea690cd70ab6520a24377b3932f337c9d1
SHA25636ab71573fa5ba8c48aaa970004a66b7d38ff2f3ca0be1c5d432a11f3c2f7d6f
SHA51236a91f32a6b84c6dc25e02049815a17920a876ca6002ca14a22cad633a1c65c59aa363c54cf110761510fe178607345decbc6c8745290b833fdd6d99cbe735b1
-
C:\Users\Admin\Desktop\Latest_Setup_1234_Pass\filework.txtFilesize
4B
MD581dc9bdb52d04dc20036dbd8313ed055
SHA17110eda4d09e062aa5e4a390b0a572ac0d2c0220
SHA25603ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
SHA512d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db
-
memory/1044-141-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/1044-144-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/1132-146-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/1132-149-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/1132-150-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/4548-139-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/4548-137-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB
-
memory/4548-134-0x0000000000DC0000-0x000000000185D000-memory.dmpFilesize
10.6MB