Analysis
-
max time kernel
90s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2023 17:28
Static task
static1
Behavioral task
behavioral1
Sample
Compiled_Project.rar
Resource
win7-20221111-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Compiled_Project.rar
Resource
win10v2004-20220901-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
Compiled_Project.rar
-
Size
53KB
-
MD5
75f365b7a47efe16eeec9d5aa8422bfe
-
SHA1
7bb830fffef7f76df24db8575175950be207b9de
-
SHA256
14ac25415d9f1c8ceaeab7be358750490b752f121e0ae4f0919d98a98b1b8b17
-
SHA512
7d7302b3452657e4e31be63ec72e6e4d0eea8c9a5579c6ed24572b1fe3fce721592a6b1b024999abaf6910b334e166c8fece9d38eac2b10123f25adffcc6c32d
-
SSDEEP
1536:hVXrfe7Pbk9BHZKOY9az949oHDJOMXnJGKscWGlJ:hVjeDbk3Uw+YJOM3JGKIQJ
Score
4/10
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\JoinOut.exe OpenWith.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.rar OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zG.exe\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\蛞Ǹ\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zG.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.rar\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000002155325e110050524f4752417e310000740009000400efbe874fdb492155325e2e0000003f0000000000010000000000000000004a0000000000af69ac00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zG.exe\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7zG.exe\shell\open OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000002155d75a1000372d5a6970003c0009000400efbe2155d75a2155d75a2e0000009e23020000000f0000000000000000000000000000009ca4570037002d005a0069007000000014000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\蛞Ǹ OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\rar_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4092 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 4756 7zG.exe Token: 35 4756 7zG.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4092 wrote to memory of 4756 4092 OpenWith.exe 93 PID 4092 wrote to memory of 4756 4092 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Compiled_Project.rar1⤵
- Modifies registry class
PID:4988
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\AppData\Local\Temp\Compiled_Project.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756
-