Overview
overview
10Static
static
10SS Tools SafePvP.rar
windows10-1703-x64
3Srenshare ...os.lnk
windows10-1703-x64
3Srenshare ...mp.lnk
windows10-1703-x64
3Srenshare ...SS.exe
windows10-1703-x64
3Srenshare ...up.exe
windows10-1703-x64
7Srenshare ...s-.url
windows10-1703-x64
1Srenshare ...1).exe
windows10-1703-x64
7Srenshare ...ew.exe
windows10-1703-x64
6Srenshare ...in.exe
windows10-1703-x64
5Srenshare ... 2.lnk
windows10-1703-x64
3Srenshare ...er.exe
windows10-1703-x64
9Srenshare ...ew.exe
windows10-1703-x64
6Srenshare ...ew.exe
windows10-1703-x64
9Srenshare ....5.exe
windows10-1703-x64
4Analysis
-
max time kernel
80s -
max time network
67s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
05-02-2023 01:39
Behavioral task
behavioral1
Sample
SS Tools SafePvP.rar
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
Srenshare tool/Atajos/Iconos.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Srenshare tool/Atajos/Temp.lnk
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
Srenshare tool/LandSS.exe
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
Srenshare tool/Tools/Everything-1.4.1.935.x86-Setup.exe
Resource
win10-20220901-en
Behavioral task
behavioral6
Sample
Srenshare tool/Tools/Jitter Click Training-How fast can you click in 10 seconds-.url
Resource
win10-20220812-en
Behavioral task
behavioral7
Sample
Srenshare tool/Tools/Kangaroo (1).exe
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
Srenshare tool/Tools/LastActivityView.exe
Resource
win10-20220812-en
Behavioral task
behavioral9
Sample
Srenshare tool/Tools/Paladin.exe
Resource
win10-20220901-en
Behavioral task
behavioral10
Sample
Srenshare tool/Tools/Process Hacker 2.lnk
Resource
win10-20220812-en
Behavioral task
behavioral11
Sample
Srenshare tool/Tools/RegScanner.exe
Resource
win10-20220812-en
Behavioral task
behavioral12
Sample
Srenshare tool/Tools/USBDeview.exe
Resource
win10-20220901-en
Behavioral task
behavioral13
Sample
Srenshare tool/Tools/UserAssistView.exe
Resource
win10-20220812-en
Behavioral task
behavioral14
Sample
Srenshare tool/Tools/luyten-0.4.5.exe
Resource
win10-20220812-en
General
-
Target
SS Tools SafePvP.rar
-
Size
21.6MB
-
MD5
168d85cb9b30c2065a2bdaf704b2ddef
-
SHA1
4aed9ca176e5f9b9c5a5160cbb0b5c942ec59ea5
-
SHA256
6cc0505bc3d39f9806d605ba115dd302da1f485554ec44c9c96286f5ea34d909
-
SHA512
cd1bc78ee86480ac10f6af86254b4dd7f230d312ff403bd0dd32d910997de5bab79f3cc8a81862bdc268173e32d067179a74fd68616d90f445bc721eb2a64547
-
SSDEEP
393216:na+3nVZeku6O6HTpwthhG239C8kQeJx8pYRdvptIQUmyjV7Cht74/YJbTZGRI:nPeILoYAAQeJxlpLyXyhGu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\rar_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\rar_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\.rar OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\.rar\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\rar_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\rar_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\rar_auto_file\shell\open\command\ = "\"%ProgramFiles%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4756 OpenWith.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
OpenWith.exeWORDPAD.EXEpid process 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 4756 OpenWith.exe 2472 WORDPAD.EXE 2472 WORDPAD.EXE 2472 WORDPAD.EXE 2472 WORDPAD.EXE 2472 WORDPAD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4756 wrote to memory of 2472 4756 OpenWith.exe WORDPAD.EXE PID 4756 wrote to memory of 2472 4756 OpenWith.exe WORDPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SS Tools SafePvP.rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\SS Tools SafePvP.rar"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\3780789c10094470a721f4446b80ddd7 /t 3732 /p 24721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2472-120-0x0000000000000000-mapping.dmp