ff87d820baf913ae59727dab8579b9f2d349b95bfb78aebcfeeb91cbce8c6ce3

Resubmissions

27-02-2023 04:37

230227-e83rpsbf3s 8

27-02-2023 04:25

27-02-2023 04:20

27-02-2023 04:14

12-02-2023 12:22

Analysis

max time kernel
148s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-02-2023 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pass_55555_Setup.rar
Size

16.6MB
MD5

e723764b64c812d553c53f88f02fc1b6
SHA1

13a7c40f7dccda372d4c96f8061d72c0d3c4b776
SHA256

ff87d820baf913ae59727dab8579b9f2d349b95bfb78aebcfeeb91cbce8c6ce3
SHA512

74e11cd487215bc1f8dbfb88f689b32ffa7ede074ca3d54a3aed75e85fdbd32ebdfadc554f37cbcd78c16603cc808244fd9df9d96e7276d07db2d1f7d032e0ea
SSDEEP

393216:4k47PRY7aDgd/8k8YsWBdMbOrnBMFREW/VapQI+6Szlk2hEG5+SLJZA:eY7Vd8GjMbKBMFRzMixzzhX1XA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

7zG.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	4808	7zG.exe
Token: 35	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeRestorePrivilege	4356	7zG.exe
Token: 35	4356	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

4808 7zG.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

4700 OpenWith.exe
4700 OpenWith.exe
4700 OpenWith.exe
2660 OpenWith.exe

pid	process
4808	7zG.exe

pid	process
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
2660	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pass_55555_Setup.rar
1⤵
- Modifies registry class
PID:2908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Pass_55555_Setup\" -ad -an -ai#7zMap5560:112:7zEvent26353
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27551:82:7zEvent27679 -tzip -sae -- "C:\Users\Admin\Desktop\Pass_55555_Setup.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Pass_55555_Setup\Installer-x64bit.exe
Filesize
256KB

MD5
81cc00bc5a1cae97942eef8f9b18918a

SHA1
6b1f0e7e2ba457db00193693abeb77e90ac78e55

SHA256
13d7a70ca8b1f0ff182084c03ebbf0deed11a3d1b6213eb132db4744d5b21bae

SHA512
fb3aa1dfda25fd58beda40e8fcaf84b3115b723d3af480f3c100469cb624d1b6bd5c413b3a9214157106a071b01f3c91f6deeaa58231f877662cdbbbfdb4c9d4

Download Submit
C:\Users\Admin\Desktop\Pass_55555_Setup\avcodec-58.dll
Filesize
1.6MB

MD5
793f273863cfcd317d0c128fb6747b83

SHA1
46b38b8aa4949c0dd3f226f20e9bc39af1930a78

SHA256
caacd89a07d882389490cfbe6379b1c1e5b2e92d4b1527dd428afc2fd214dfa6

SHA512
716cc416dc43d2fe6d4cea2ecbf91fec017d95b316ac370e38b0de6b8d8348c5224ab32d9fde0d44c7d43c93448458d7f50d07dab1b1fee777416d6866741563

Download Submit
C:\Users\Admin\Desktop\Pass_55555_Setup\avformat-58.dll
Filesize
1.5MB

MD5
c75b4a10f6764fb359a403a38fdaa20d

SHA1
f2681c79d24f2fe8511847f1202d2c56733bd0ac

SHA256
9b149002580b93a32adb911104824f9654f1479a6e9f4132e213e8a040238ea0

SHA512
c074b270df8d813c755eed458a76f4e05f3ef47996f7d7304c13cc0eabfaae434f859acb68221bdb96ea8187990dbad56cdb61828d800785260a99872cc664ae

Download Submit