Analysis
-
max time kernel
79s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2023 00:00
Static task
static1
Behavioral task
behavioral1
Sample
[NEW] Hogwarts Legacy by Empress.rar
Resource
win10v2004-20221111-en
General
-
Target
[NEW] Hogwarts Legacy by Empress.rar
-
Size
29.7MB
-
MD5
cfd8232e140eab8777b8f991ae366340
-
SHA1
32d5220d626962ca2c9c7990ac0799307883e169
-
SHA256
f9cedf4358e6229bcc82dad28fd7fe3893f69ac237a30cc343d7aff182bfd025
-
SHA512
c5fe83ea69eed717dbeb7e234f39e42b18f5ce77e6725aee1740dcc92c1d6460f5209f2511c8ce9d9faff66dff25370427a73bb5e0c7624c45929dba1d3c3d63
-
SSDEEP
786432:wt2vfABLUXxAAP+wKYFAb314QQ4VUqTjCG0HaGkgOLBazdA:wGdxYJ32QQ4VleG3gOYz2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3540 Hogwarts Legacy by Empress.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4448 7zG.exe Token: 35 4448 7zG.exe Token: SeSecurityPrivilege 4448 7zG.exe Token: SeSecurityPrivilege 4448 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4448 7zG.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2208 OpenWith.exe 3540 Hogwarts Legacy by Empress.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress.rar"1⤵
- Modifies registry class
PID:1716
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4956
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\" -spe -an -ai#7zMap25857:144:7zEvent223781⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448
-
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
Filesize326.4MB
MD57a1c6ba99ba81106917acf37c8711bac
SHA14b08c2a3d26242d209d45f086f001f4b66a6c31a
SHA256e535bc5f201f84ccd46ecc2374ae4213b46456d8c027d44f58700579018c5264
SHA512b9a234411630edc3029d62954a874714d911704d92db94a27323dec77c4334187ab1608ebf527b90a8d461254364d82c616dfdd31cf0739ff6f026e04def8686
-
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
Filesize325.0MB
MD54fb540332dd61d8c89fb5287035fa219
SHA16361238de501376a918f10abb72aade9c25ecca7
SHA256a26da25e4ed5c8e90cf6717653ee5051171d121b7d9446d7b4b7a970afe39c2d
SHA5124e0eb5cc835f13359036fa65d2b1a33262534732ecb6abe77489b56eb31f1e7fa82f885225a3ac40e5a93a147c09f3d12a8abd0e1a11188349a839269122f9d2