Resubmissions

19-02-2023 00:09

230219-aftk4sdd4z 10

19-02-2023 00:00

230219-aacqeaea43 7

Analysis

  • max time kernel
    79s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2023 00:00

General

  • Target

    [NEW] Hogwarts Legacy by Empress.rar

  • Size

    29.7MB

  • MD5

    cfd8232e140eab8777b8f991ae366340

  • SHA1

    32d5220d626962ca2c9c7990ac0799307883e169

  • SHA256

    f9cedf4358e6229bcc82dad28fd7fe3893f69ac237a30cc343d7aff182bfd025

  • SHA512

    c5fe83ea69eed717dbeb7e234f39e42b18f5ce77e6725aee1740dcc92c1d6460f5209f2511c8ce9d9faff66dff25370427a73bb5e0c7624c45929dba1d3c3d63

  • SSDEEP

    786432:wt2vfABLUXxAAP+wKYFAb314QQ4VUqTjCG0HaGkgOLBazdA:wGdxYJ32QQ4VleG3gOYz2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress.rar"
    1⤵
    • Modifies registry class
    PID:1716
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2208
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4956
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\" -spe -an -ai#7zMap25857:144:7zEvent22378
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4448
    • C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
      "C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3540

    Network

    • flag-us
      DNS
      96.108.152.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      96.108.152.52.in-addr.arpa
      IN PTR
      Response
    • 13.78.111.198:443
      322 B
      7
    • 93.184.221.240:80
      230 B
      5
    • 93.184.220.29:80
    • 93.184.221.240:80
    • 8.8.8.8:53
      96.108.152.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      96.108.152.52.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

      Filesize

      326.4MB

      MD5

      7a1c6ba99ba81106917acf37c8711bac

      SHA1

      4b08c2a3d26242d209d45f086f001f4b66a6c31a

      SHA256

      e535bc5f201f84ccd46ecc2374ae4213b46456d8c027d44f58700579018c5264

      SHA512

      b9a234411630edc3029d62954a874714d911704d92db94a27323dec77c4334187ab1608ebf527b90a8d461254364d82c616dfdd31cf0739ff6f026e04def8686

    • C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

      Filesize

      325.0MB

      MD5

      4fb540332dd61d8c89fb5287035fa219

      SHA1

      6361238de501376a918f10abb72aade9c25ecca7

      SHA256

      a26da25e4ed5c8e90cf6717653ee5051171d121b7d9446d7b4b7a970afe39c2d

      SHA512

      4e0eb5cc835f13359036fa65d2b1a33262534732ecb6abe77489b56eb31f1e7fa82f885225a3ac40e5a93a147c09f3d12a8abd0e1a11188349a839269122f9d2

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.