0856726b29bb312422c3f0962ee081160dea8a3edd870a6050d480324b3b63f8

Analysis

max time kernel
399s
max time network
402s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
02-03-2023 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MainFile-Setup1-_2022_A_PasWrd.rar
Size

14.0MB
MD5

4f9e1d3674f7040904c3c39cdcfc50e7
SHA1

0549bdc4f055bc94250ad792883f41bf31069902
SHA256

0856726b29bb312422c3f0962ee081160dea8a3edd870a6050d480324b3b63f8
SHA512

facd559202a83ac4975e62be5097c5e5f4f219e42c156caac1c60bf25703ee056df040c598805ff753f1bc98852638115eb0d49fe734932fd1419f8271f5be75
SSDEEP

393216:OhPAI1wPgO4DKob4Qbzwn0D/Ak1lMWwBBtJTHybGolQdmOQmYb:Oh4cwoDDKobXOG/ARWsH9SaFQZmYb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1116	SetupFull.exe

Loads dropped DLL 3 IoCs

pid	Process
1116	SetupFull.exe
1116	SetupFull.exe
1116	SetupFull.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1116	SetupFull.exe
1116	SetupFull.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1648	7zG.exe
Token: 35	1648	7zG.exe
Token: SeSecurityPrivilege	1648	7zG.exe
Token: SeSecurityPrivilege	1648	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1092	1508	cmd.exe	29
PID 1508 wrote to memory of 1092	1508	cmd.exe	29
PID 1508 wrote to memory of 1092	1508	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MainFile-Setup1-_2022_A_PasWrd.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MainFile-Setup1-_2022_A_PasWrd.rar
  2⤵
  - Modifies registry class
  PID:1092

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\" -spe -an -ai#7zMap27515:118:7zEvent6978
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1648

C:\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe
"C:\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe

Filesize
733.8MB

MD5
c4d65a69f04065ea4924f282a92f705e

SHA1
1fc4bc40136e79a7d10973002593047a13ba9ebf

SHA256
2d2a3928611561a0c8f2390afe2e45d5854c463e88445b9ed4a993fcf7bafd8d

SHA512
a964cfd09ee806d9d819d666ae0ba0c501cad25d5547bd46c6d8f6ca06a135d6b93319bfa6915439f4601dd51ad9db5a1d085744ae0ea4a3aac6d93c12e08df0

Download Submit
C:\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe

Filesize
733.8MB

MD5
c4d65a69f04065ea4924f282a92f705e

SHA1
1fc4bc40136e79a7d10973002593047a13ba9ebf

SHA256
2d2a3928611561a0c8f2390afe2e45d5854c463e88445b9ed4a993fcf7bafd8d

SHA512
a964cfd09ee806d9d819d666ae0ba0c501cad25d5547bd46c6d8f6ca06a135d6b93319bfa6915439f4601dd51ad9db5a1d085744ae0ea4a3aac6d93c12e08df0

Download Submit
\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe

Filesize
733.8MB

MD5
c4d65a69f04065ea4924f282a92f705e

SHA1
1fc4bc40136e79a7d10973002593047a13ba9ebf

SHA256
2d2a3928611561a0c8f2390afe2e45d5854c463e88445b9ed4a993fcf7bafd8d

SHA512
a964cfd09ee806d9d819d666ae0ba0c501cad25d5547bd46c6d8f6ca06a135d6b93319bfa6915439f4601dd51ad9db5a1d085744ae0ea4a3aac6d93c12e08df0

Download Submit
\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe

Filesize
733.8MB

MD5
c4d65a69f04065ea4924f282a92f705e

SHA1
1fc4bc40136e79a7d10973002593047a13ba9ebf

SHA256
2d2a3928611561a0c8f2390afe2e45d5854c463e88445b9ed4a993fcf7bafd8d

SHA512
a964cfd09ee806d9d819d666ae0ba0c501cad25d5547bd46c6d8f6ca06a135d6b93319bfa6915439f4601dd51ad9db5a1d085744ae0ea4a3aac6d93c12e08df0

Download Submit
\Users\Admin\Desktop\MainFile-Setup1-_2022_A_PasWrd\SetupFull.exe

Filesize
733.8MB

MD5
c4d65a69f04065ea4924f282a92f705e

SHA1
1fc4bc40136e79a7d10973002593047a13ba9ebf

SHA256
2d2a3928611561a0c8f2390afe2e45d5854c463e88445b9ed4a993fcf7bafd8d

SHA512
a964cfd09ee806d9d819d666ae0ba0c501cad25d5547bd46c6d8f6ca06a135d6b93319bfa6915439f4601dd51ad9db5a1d085744ae0ea4a3aac6d93c12e08df0

Download Submit