Overview
overview
8Static
static
1Pass_55555_Setup.rar
windows10-1703-x64
3Installer-x64bit.exe
windows10-1703-x64
8Qt5Gui.dll
windows10-1703-x64
1avcodec-58.dll
windows10-1703-x64
1avformat-58.dll
windows10-1703-x64
1license.txt
windows10-1703-x64
1plugins/im...if.dll
windows10-1703-x64
1plugins/im...co.dll
windows10-1703-x64
1plugins/im...eg.dll
windows10-1703-x64
1plugins/me...ne.dll
windows10-1703-x64
1plugins/me...ne.dll
windows10-1703-x64
1plugins/pl...ws.dll
windows10-1703-x64
1plugins/st...le.dll
windows10-1703-x64
1scripting/citra.py
windows10-1703-x64
3Resubmissions
27-02-2023 04:37
230227-e83rpsbf3s 827-02-2023 04:25
230227-e2b1eabe9v 327-02-2023 04:20
230227-ex6n8abg69 827-02-2023 04:14
230227-ets9qabe8t 412-02-2023 12:22
230212-pkc69adh37 8Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27-02-2023 04:20
Static task
static1
Behavioral task
behavioral1
Sample
Pass_55555_Setup.rar
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Installer-x64bit.exe
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
Qt5Gui.dll
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
avcodec-58.dll
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
avformat-58.dll
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
license.txt
Resource
win10-20230220-en
Behavioral task
behavioral7
Sample
plugins/imageformats/qgif.dll
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
plugins/imageformats/qico.dll
Resource
win10-20230220-en
Behavioral task
behavioral9
Sample
plugins/imageformats/qjpeg.dll
Resource
win10-20230220-en
Behavioral task
behavioral10
Sample
plugins/mediaservice/dsengine.dll
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
plugins/mediaservice/wmfengine.dll
Resource
win10-20230220-en
Behavioral task
behavioral12
Sample
plugins/platforms/qwindows.dll
Resource
win10-20230220-en
Behavioral task
behavioral13
Sample
plugins/styles/qwindowsvistastyle.dll
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
scripting/citra.py
Resource
win10-20230220-en
General
-
Target
Pass_55555_Setup.rar
-
Size
16.6MB
-
MD5
e723764b64c812d553c53f88f02fc1b6
-
SHA1
13a7c40f7dccda372d4c96f8061d72c0d3c4b776
-
SHA256
ff87d820baf913ae59727dab8579b9f2d349b95bfb78aebcfeeb91cbce8c6ce3
-
SHA512
74e11cd487215bc1f8dbfb88f689b32ffa7ede074ca3d54a3aed75e85fdbd32ebdfadc554f37cbcd78c16603cc808244fd9df9d96e7276d07db2d1f7d032e0ea
-
SSDEEP
393216:4k47PRY7aDgd/8k8YsWBdMbOrnBMFREW/VapQI+6Szlk2hEG5+SLJZA:eY7Vd8GjMbKBMFRzMixzzhX1XA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
Processes:
7zG.execmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 7zG.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance 7zG.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zG.exe7zG.exedescription pid process Token: SeRestorePrivilege 4808 7zG.exe Token: 35 4808 7zG.exe Token: SeSecurityPrivilege 4808 7zG.exe Token: SeSecurityPrivilege 4808 7zG.exe Token: SeRestorePrivilege 4356 7zG.exe Token: 35 4356 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 4808 7zG.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 4700 OpenWith.exe 4700 OpenWith.exe 4700 OpenWith.exe 2660 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Pass_55555_Setup.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Pass_55555_Setup\" -ad -an -ai#7zMap5560:112:7zEvent263531⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27551:82:7zEvent27679 -tzip -sae -- "C:\Users\Admin\Desktop\Pass_55555_Setup.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Pass_55555_Setup\Installer-x64bit.exeFilesize
256KB
MD581cc00bc5a1cae97942eef8f9b18918a
SHA16b1f0e7e2ba457db00193693abeb77e90ac78e55
SHA25613d7a70ca8b1f0ff182084c03ebbf0deed11a3d1b6213eb132db4744d5b21bae
SHA512fb3aa1dfda25fd58beda40e8fcaf84b3115b723d3af480f3c100469cb624d1b6bd5c413b3a9214157106a071b01f3c91f6deeaa58231f877662cdbbbfdb4c9d4
-
C:\Users\Admin\Desktop\Pass_55555_Setup\avcodec-58.dllFilesize
1.6MB
MD5793f273863cfcd317d0c128fb6747b83
SHA146b38b8aa4949c0dd3f226f20e9bc39af1930a78
SHA256caacd89a07d882389490cfbe6379b1c1e5b2e92d4b1527dd428afc2fd214dfa6
SHA512716cc416dc43d2fe6d4cea2ecbf91fec017d95b316ac370e38b0de6b8d8348c5224ab32d9fde0d44c7d43c93448458d7f50d07dab1b1fee777416d6866741563
-
C:\Users\Admin\Desktop\Pass_55555_Setup\avformat-58.dllFilesize
1.5MB
MD5c75b4a10f6764fb359a403a38fdaa20d
SHA1f2681c79d24f2fe8511847f1202d2c56733bd0ac
SHA2569b149002580b93a32adb911104824f9654f1479a6e9f4132e213e8a040238ea0
SHA512c074b270df8d813c755eed458a76f4e05f3ef47996f7d7304c13cc0eabfaae434f859acb68221bdb96ea8187990dbad56cdb61828d800785260a99872cc664ae