accc8d14027a42e7b535e95f5526685330a9bc9755a1faa380065df43135ba25

Analysis

max time kernel
280s
max time network
406s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
02-03-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ActivatedSetup_Use_2023_PassKey.rar
Size

13.5MB
MD5

59d084ed7d0aa80a0fbf8b029a6ea8ed
SHA1

61795d05a7c6831673a18b70954eaafd1f59709d
SHA256

accc8d14027a42e7b535e95f5526685330a9bc9755a1faa380065df43135ba25
SHA512

31d11bcaf762d41c9eaf243bc8ec846ea44395941035f225ae43db560e2a57252edd8b370d46b65e7d453b56bf2f4b964245ab54dbad8c3cdd170afd408b8466
SSDEEP

196608:sPOzVS8NMr9QoTgAsLfqysj/MdgYOEr+jPTHyWxzz4unvXyAttkvHPJn:AcVS/hZeLkMaYOEkHyWxQ2vyWtk5n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
544	Setup_Active.exe
4444	Setup_Active.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
544	Setup_Active.exe
544	Setup_Active.exe
4444	Setup_Active.exe
4444	Setup_Active.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1756	7zG.exe
Token: 35	1756	7zG.exe
Token: SeSecurityPrivilege	1756	7zG.exe
Token: SeSecurityPrivilege	1756	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ActivatedSetup_Use_2023_PassKey.rar
1⤵
- Modifies registry class
PID:4152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2468

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\" -spe -an -ai#7zMap25430:120:7zEvent21384
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1756

C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe
"C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe
"C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe

Filesize
730.9MB

MD5
f01b5ce4202e050ec2a86dfc352289c2

SHA1
482398178be5b003ab804c37f7227f0ca6754ec9

SHA256
171d506271ce2e743f6de549e4ab76f227782403381361018850e41a3dedea48

SHA512
e8bebc003cc5cf54a21acb3a94424ba64d2a55f92f500f9a4bec57c3e7c7a41c78680f3165b4442493b2a906849e5abc5d07554396afaf1a70c59b27f6cdc6f2

Download Submit
C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe

Filesize
730.9MB

MD5
f01b5ce4202e050ec2a86dfc352289c2

SHA1
482398178be5b003ab804c37f7227f0ca6754ec9

SHA256
171d506271ce2e743f6de549e4ab76f227782403381361018850e41a3dedea48

SHA512
e8bebc003cc5cf54a21acb3a94424ba64d2a55f92f500f9a4bec57c3e7c7a41c78680f3165b4442493b2a906849e5abc5d07554396afaf1a70c59b27f6cdc6f2

Download Submit
C:\Users\Admin\Desktop\ActivatedSetup_Use_2023_PassKey\Setup_Active.exe

Filesize
730.9MB

MD5
f01b5ce4202e050ec2a86dfc352289c2

SHA1
482398178be5b003ab804c37f7227f0ca6754ec9

SHA256
171d506271ce2e743f6de549e4ab76f227782403381361018850e41a3dedea48

SHA512
e8bebc003cc5cf54a21acb3a94424ba64d2a55f92f500f9a4bec57c3e7c7a41c78680f3165b4442493b2a906849e5abc5d07554396afaf1a70c59b27f6cdc6f2

Download Submit
memory/544-159-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/544-153-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/544-156-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/544-158-0x0000000001A20000-0x0000000001A21000-memory.dmp

Filesize
4KB

Download
memory/544-157-0x0000000001900000-0x0000000001901000-memory.dmp

Filesize
4KB

Download
memory/544-155-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/544-160-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/544-154-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/4444-163-0x0000000001990000-0x0000000001991000-memory.dmp

Filesize
4KB

Download
memory/4444-165-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/4444-164-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/4444-167-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4444-166-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/4444-169-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4444-168-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/4444-170-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download