Analysis

  • max time kernel
    110s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2023 15:28

General

  • Target

    https://rapidgator.net/file/0e5e5b017ffc7ae94026040432122235/SUBLIME_TEXT_V4.4143_WIN64.7z.html

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://rapidgator.net/file/0e5e5b017ffc7ae94026040432122235/SUBLIME_TEXT_V4.4143_WIN64.7z.html
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1056
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64\" -spe -an -ai#7zMap27430:108:7zEvent9089
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3724
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4724
    • C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64\Crack\XF-Sublime-KG.exe
      "C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64\Crack\XF-Sublime-KG.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\XF-Sublime-KG.exe
        C:\Users\Admin\AppData\Local\Temp\XF-Sublime-KG.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2444
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2316

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      bd813f25b25946e19e7b3acf153b3674

      SHA1

      1570516b96c7931bd565ac9102e79e1664216997

      SHA256

      6c744ffa4555b4c92c632743742782df3e1b9c33004c73247574da26a759ea2c

      SHA512

      145c738a3702f08d8d307188a4422e3842bc08aced2190f74601d8398d2001cb722e3c32bb6988e35a44a456fb042e6ae833a121da092d21dc2a04683932b47b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      7d08d0bd7612c3fd39c093209d8cb694

      SHA1

      69b66f768c16a35994275c89d1dbc68711a046df

      SHA256

      d7c957f56f4e5fd5d757931a6be2066086738656a952cbf078644a01f8e733ff

      SHA512

      d0c50528fd30c5174de1284ab2d289c906ac3175b4ae752462834f50bfdcbcc74978ca957629cbec3c3c24ac7a35825ee05a01a7eab31272d7d6a042357d2729

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3mhxqpl\imagestore.dat
      Filesize

      3KB

      MD5

      ade5f6ae4eeda1892864cf1da0009c96

      SHA1

      444f14357d805a505fe9d70176b088eab9974a40

      SHA256

      41b4e73574548006b5263de9237a04f2eb939f30a3c78f2671109d4c0e865a71

      SHA512

      1062c615201a4a39c778c8eb72913ae0cd933fce4a7b44c9d6db37122876eb094017a05915d5b64d57c34049ab09481161c56af704d39f8a49338a0b1e3c0529

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO3L93KT\favicon[1].ico
      Filesize

      3KB

      MD5

      cf1faa2e6cdf8c78f971d5927d28dd99

      SHA1

      ec9454d0ef9fa07eb9dd38d44131574fbb4f84ea

      SHA256

      9cd57803d93fbd183de40d1007606a3c30f90fc82a205c7abf4c12d322b7c144

      SHA512

      cbdab9962c62568ee07aa07a00e270c902b721fe0248b88bcc1ae8dfaa8bfe49bc77c40fe87c06ca1cf786dee786af85a45e13c88dd85a06be4a5e71d4177ff0

    • C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll
      Filesize

      33KB

      MD5

      e4ec57e8508c5c4040383ebe6d367928

      SHA1

      b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

      SHA256

      8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

      SHA512

      77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    • C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll
      Filesize

      33KB

      MD5

      e4ec57e8508c5c4040383ebe6d367928

      SHA1

      b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

      SHA256

      8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

      SHA512

      77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    • C:\Users\Admin\AppData\Local\Temp\XF-Sublime-KG.exe
      Filesize

      110KB

      MD5

      f6dc9bf22ec5259f4428e4b33863e270

      SHA1

      ed3758fcd5b85c30423b613e92f73e775af86f50

      SHA256

      edc3d74fa71b78c8ec482c6c36c7304f619c3cd92f90ad4e4645eebc41524cfb

      SHA512

      833544b7b41924f454498d1f4806898c3d0dab06eaae0aeedc6a99e6d1e080d042eaa86915a540579149ac7d2f9ffc8dc267808ec6daa43d594232eb00fd3ac3

    • C:\Users\Admin\AppData\Local\Temp\XF-Sublime-KG.exe
      Filesize

      110KB

      MD5

      f6dc9bf22ec5259f4428e4b33863e270

      SHA1

      ed3758fcd5b85c30423b613e92f73e775af86f50

      SHA256

      edc3d74fa71b78c8ec482c6c36c7304f619c3cd92f90ad4e4645eebc41524cfb

      SHA512

      833544b7b41924f454498d1f4806898c3d0dab06eaae0aeedc6a99e6d1e080d042eaa86915a540579149ac7d2f9ffc8dc267808ec6daa43d594232eb00fd3ac3

    • C:\Users\Admin\AppData\Local\Temp\libgcc_s_dw2-1.dll
      Filesize

      122KB

      MD5

      e45e405491fe9c857e27ed81ff7cebea

      SHA1

      994b5962e7e6910d5ee0ef1dd5316a3ca77c3f4b

      SHA256

      66ac4ccc4d40be26842cd876659241719525114c3d7bfa93c64198918af1cb27

      SHA512

      409c5fd12099770571168f54af644b5f000cfc416ee12a76f63ebcabe9124cfd3b36aa4cee24d66ec9d0c7762191d14f22740c2585a06eafcbf044cba4589c98

    • C:\Users\Admin\AppData\Local\Temp\libgcc_s_dw2-1.dll
      Filesize

      122KB

      MD5

      e45e405491fe9c857e27ed81ff7cebea

      SHA1

      994b5962e7e6910d5ee0ef1dd5316a3ca77c3f4b

      SHA256

      66ac4ccc4d40be26842cd876659241719525114c3d7bfa93c64198918af1cb27

      SHA512

      409c5fd12099770571168f54af644b5f000cfc416ee12a76f63ebcabe9124cfd3b36aa4cee24d66ec9d0c7762191d14f22740c2585a06eafcbf044cba4589c98

    • C:\Users\Admin\AppData\Local\Temp\libtomcrypt.dll
      Filesize

      365KB

      MD5

      77b01dd3263b26e9d85f23b0f3e669c6

      SHA1

      30a9c56d53271e93e7d880b2caed0ea771e99d6d

      SHA256

      6a011b173d149e6b667b9da3569bb6b05e6038249ab5f020ad448086e02cedaf

      SHA512

      1f8c5c36696536624b849161ee0777f49485c2fb01464e3d4e5edd131527661140f6ed66ad41892e6a0d1b27b07ced738d8dad1ce2f8bacf58a4aef84db62e98

    • C:\Users\Admin\AppData\Local\Temp\libtomcrypt.dll
      Filesize

      365KB

      MD5

      77b01dd3263b26e9d85f23b0f3e669c6

      SHA1

      30a9c56d53271e93e7d880b2caed0ea771e99d6d

      SHA256

      6a011b173d149e6b667b9da3569bb6b05e6038249ab5f020ad448086e02cedaf

      SHA512

      1f8c5c36696536624b849161ee0777f49485c2fb01464e3d4e5edd131527661140f6ed66ad41892e6a0d1b27b07ced738d8dad1ce2f8bacf58a4aef84db62e98

    • C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll
      Filesize

      67KB

      MD5

      695d4b0b03267985aa0a74dcbf3e3a0e

      SHA1

      2c3093161cef7bb823804bac7099202aad23729d

      SHA256

      b87ceea97753d556c4598776c0ac47e5b11797e82416406b418296bd8159e8b2

      SHA512

      efde8057dd2cd603970a4c5ec27e3e25a6449eb5bb66c2a8ac9df45e65d932852f5e24584a2ca166d73e851da0cc781b8b6a1d40d2a61be0a1321b2d12f12fec

    • C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll
      Filesize

      67KB

      MD5

      695d4b0b03267985aa0a74dcbf3e3a0e

      SHA1

      2c3093161cef7bb823804bac7099202aad23729d

      SHA256

      b87ceea97753d556c4598776c0ac47e5b11797e82416406b418296bd8159e8b2

      SHA512

      efde8057dd2cd603970a4c5ec27e3e25a6449eb5bb66c2a8ac9df45e65d932852f5e24584a2ca166d73e851da0cc781b8b6a1d40d2a61be0a1321b2d12f12fec

    • C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64.7z.9p926y1.partial
      Filesize

      493KB

      MD5

      b455a70d02301f66fd91e551979e68e2

      SHA1

      f7365e53e54701475ff02be5a9550ff0a005d19f

      SHA256

      e87fe42a0ab54bfe73420e7cc08d9cc0cc9ab839d2bac1dc286643cf61ba2475

      SHA512

      6d7ab3a7907476cdd6f8c9c2be0b10eb7631f8a7ccc8e33986706a5446e5e52dd62cec0b943e2e6c4b5190e761b62391727b503d8a9dffd597854a627088bb72

    • C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64\Crack\XF-Sublime-KG.exe
      Filesize

      518KB

      MD5

      7302bf749281240439214bcbfb334a5a

      SHA1

      576204f2c01ca78370c25d3147f8cbed73b7c205

      SHA256

      e2ee8ae987d783ec5cd4ee7cc8ac968f0ddd85cbd40eacce0df57dea00dc1417

      SHA512

      9b333ceff330d544326dfbfc546f88823aaf4f2b9649aa3b2df5148ed5904d5437eb08470e12bbd693ac8ca80778cbd8400cfa2298afb95ae13848573051afc4

    • C:\Users\Admin\Desktop\SUBLIME_TEXT_V4.4143_WIN64\Crack\XF-Sublime-KG.exe
      Filesize

      518KB

      MD5

      7302bf749281240439214bcbfb334a5a

      SHA1

      576204f2c01ca78370c25d3147f8cbed73b7c205

      SHA256

      e2ee8ae987d783ec5cd4ee7cc8ac968f0ddd85cbd40eacce0df57dea00dc1417

      SHA512

      9b333ceff330d544326dfbfc546f88823aaf4f2b9649aa3b2df5148ed5904d5437eb08470e12bbd693ac8ca80778cbd8400cfa2298afb95ae13848573051afc4

    • memory/2444-139-0x0000000000000000-mapping.dmp
    • memory/2444-150-0x0000000000AC0000-0x0000000000AE3000-memory.dmp
      Filesize

      140KB

    • memory/2444-151-0x000000006F500000-0x000000006F5E8000-memory.dmp
      Filesize

      928KB

    • memory/2444-153-0x0000000000AC0000-0x0000000000AE3000-memory.dmp
      Filesize

      140KB

    • memory/2444-152-0x0000000010000000-0x0000000010013000-memory.dmp
      Filesize

      76KB

    • memory/2444-154-0x0000000010000000-0x0000000010013000-memory.dmp
      Filesize

      76KB