Resubmissions
23-02-2023 13:58
230223-q979csga63 1023-02-2023 13:58
230223-q91vaaga59 330-01-2023 00:58
230130-bbgw7adb9t 1015-01-2023 07:31
230115-jcmg3abg69 1015-01-2023 07:28
230115-jarn1aff51 315-01-2023 01:34
230115-by7fcscb6w 10Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2023 07:28
Static task
static1
Behavioral task
behavioral1
Sample
working_attack.7z
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
working_attack.7z
Resource
win10v2004-20221111-en
General
-
Target
working_attack.7z
-
Size
925KB
-
MD5
79c2ac9fb282708c97b2622b1dcf8428
-
SHA1
bbfeb1b3a9379ca5fd894b8c5afa0b95f5eef1b7
-
SHA256
db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
-
SHA512
2334c5568ec148985245936d8301e8677b0d6b9809943f1c705ab80572be150d598525df205b8902f8739322f1faa42eb52087048cf57164311002a8e32d2f5f
-
SSDEEP
24576:y7zYd9xdNsC/TbVTUGTL/g5zXCXPukSSw1hSD6xTBeJw6HXss5:ezY3bWYTUkhhSSuhS0G3s8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1040 7zG.exe Token: 35 1040 7zG.exe Token: SeSecurityPrivilege 1040 7zG.exe Token: SeSecurityPrivilege 1040 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1040 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3064 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\working_attack.7z1⤵
- Modifies registry class
PID:4868
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3064
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4524
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap9500:106:7zEvent88501⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1040