Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
apgb2qp-kmn-win.rar
windows10-1703-x64
3KORG.Modwa...2R.nfo
windows10-1703-x64
1KORG.Modwa...47.rar
windows10-1703-x64
10RET/KORG_KeyGen.exe
windows10-1703-x64
3RET/R2R.txt
windows10-1703-x64
1Runtime.txt
windows10-1703-x64
1Setup modw....2.exe
windows10-1703-x64
8KORG.Modwa...47.rar
windows10-1703-x64
3KORG.Modwa...47.sfv
windows10-1703-x64
3Analysis
-
max time kernel
370s -
max time network
867s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
29/12/2022, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
apgb2qp-kmn-win.rar
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
KORG.Modwave.Native.v1.0.2.Incl.Keygen-R2R/R2R.nfo
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
KORG.Modwave.Native.v1.0.2.Incl.Keygen-R2R/r2r11647.rar
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
RET/KORG_KeyGen.exe
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
RET/R2R.txt
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
Runtime.txt
Resource
win10-20220901-en
Behavioral task
behavioral7
Sample
Setup modwave native v1.0.2.exe
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
KORG.Modwave.Native.v1.0.2.Incl.Keygen-R2R/r2r11647.rar
Resource
win10-20220812-en
Behavioral task
behavioral9
Sample
KORG.Modwave.Native.v1.0.2.Incl.Keygen-R2R/r2r11647.sfv
Resource
win10-20220812-en
General
-
Target
apgb2qp-kmn-win.rar
-
Size
14.1MB
-
MD5
22c6e21817a101f0cda381eba29ee536
-
SHA1
37ffaa488ac5ce6fe6f6b4460fcf177a027d98fa
-
SHA256
ba062ded9471928fb75bfb07b8fe8eee19f6e3c4bf0bc6634cc3f1778312eea1
-
SHA512
a4919d104eff2b6313503f88832596ca1682ca40a941d23b5e6c6b98cd7d93fc4bbc82655b25ccab1401d53bc35cd846afb195cbc93ff77c86be7568c8ae9d39
-
SSDEEP
393216:J12h7JXS4bIJ5KaVVcErC5CPR7scF/i3bHsHIlr3k76VieCdrZR:J127JgekbP1ji3bHTr0eCdrz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4068 OpenWith.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe 4068 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4068 wrote to memory of 5048 4068 OpenWith.exe 69 PID 4068 wrote to memory of 5048 4068 OpenWith.exe 69
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\apgb2qp-kmn-win.rar1⤵
- Modifies registry class
PID:2696
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\apgb2qp-kmn-win.rar2⤵PID:5048
-