3276c2db5547848fdcfb46a56c133029ee48ccc864325b95b09d7f136d2b5732

Analysis

max time kernel
12s
max time network
37s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/03/2023, 20:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mega Man X5 (USA).7z
Size

304.9MB
MD5

1bace289e2070f58fe0f8916d6d88842
SHA1

dd143b1549f03251f99d609c430543a075e3598d
SHA256

3276c2db5547848fdcfb46a56c133029ee48ccc864325b95b09d7f136d2b5732
SHA512

d7c19ec9e9dab9c758dabd9fbfce8ec97057956d2dfea4043cc03f676ea30d111ff4604140a8ae1447ac0b8d3511a8eacd27e15f17a6b0d66a9801329627db17
SSDEEP

6291456:YeLZ7gvm6fkA+DLV1CpYyn1Zv8Jy796pjetBQnRuW/ntG7eze8:FLpkmckA+l1CeynL3796pjqQnRuSnfe8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1744	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	316	AUDIODG.EXE
Token: 33	316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	316	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1744	752	cmd.exe	30
PID 752 wrote to memory of 1744	752	cmd.exe	30
PID 752 wrote to memory of 1744	752	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Mega Man X5 (USA).7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Mega Man X5 (USA).7z
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x15c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads