Overview

overview

10

Static

static

1

Git2.zip

windows7-x64

7

Git2.zip

windows10-2004-x64

10

Git2/GUI_M...TA.exe

windows7-x64

8

Git2/GUI_M...TA.exe

windows10-2004-x64

1

Git2/clifd...er.exe

windows7-x64

5

Git2/clifd...er.exe

windows10-2004-x64

10

Git2/sdfsdfs.exe

windows7-x64

5

Git2/sdfsdfs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1797s
  • max time network
    1804s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    19-03-2023 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Git2/GUI_MODERNISTA.exe

  • Size

    53KB

  • MD5

    6986f1d3d40626f825b3ebf0415fc54c

  • SHA1

    4e498030af12be1c971aa8b06178c24266d39197

  • SHA256

    7e84d74990b3b4a9807b3072a2637c0c7035b2e9bc4f6e603b9f1766172fbf3e

  • SHA512

    02d095629b9fcd4d7e9b0e156adfd1da41e398848f7c37eb364dfac1636baa6933d95ffebe6083cd4eaafab09d341233ae4e83b47cfeb4e2dc73a30da85c822b

  • SSDEEP

    768:ero4Jbpck6DKrC58V5GmKOb02HI2thwykpTz1:qbRpckGSPGib7dLRQ1

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Git2\GUI_MODERNISTA.exe
    "C:\Users\Admin\AppData\Local\Temp\Git2\GUI_MODERNISTA.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/file/apZmVChC#LuqbgBYW4Z94cB8eGQZfru2KupvvqTf9V4YwWkpVU3U
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1664
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://download.wondershare.com/inst/filmora_setup_full846.exe
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1660
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\filmora_setup_full846.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\filmora_setup_full846.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
          C:\Users\Public\Documents\Wondershare\NFWCHK.exe
          4⤵
          • Executes dropped EXE
          PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fd713de23c5001fc0398fef6a19ae6a9

    SHA1

    5b273a41d480d833cc095adbb16ae7d2b9ca4d88

    SHA256

    f2c7647947ab6171b221e1d83a0227a55084a79f1e11de1ab8eeb21d3a02222a

    SHA512

    e01fa0ed7a170ee1d0a418f7b76fbf394679c41bb31d7c6ed887fb2244f4f66da2493c04f0c1b3ff19f3dda0eb9c8830ec62810139d5c57a64c4fd192b560451

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\filmora_setup_full846.exe
    Filesize

    3.0MB

    MD5

    964b99bc366deb23489b2abce715db15

    SHA1

    a40bca880b8bb27cefcb730e389ddac3cf792cc3

    SHA256

    e652ac2d16e23be1079b271d915dae2ffc3f5339e23740b1d6850018e0fd9d9b

    SHA512

    c8e261b396585ff6c10a1bf80ad22bfc21e39ac7e3a22de816923cdb9a2a18953ddfcf8d51e68cf72d47bc40018feffa97cf323317ad0702b58fdf726b13bfaf

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\filmora_setup_full846.exe.h5is6d5.partial
    Filesize

    3.0MB

    MD5

    964b99bc366deb23489b2abce715db15

    SHA1

    a40bca880b8bb27cefcb730e389ddac3cf792cc3

    SHA256

    e652ac2d16e23be1079b271d915dae2ffc3f5339e23740b1d6850018e0fd9d9b

    SHA512

    c8e261b396585ff6c10a1bf80ad22bfc21e39ac7e3a22de816923cdb9a2a18953ddfcf8d51e68cf72d47bc40018feffa97cf323317ad0702b58fdf726b13bfaf

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].es-ES
    Filesize

    18KB

    MD5

    e2749896090665aeb9b29bce1a591a75

    SHA1

    59e05283e04c6c0252d2b75d5141ba62d73e9df9

    SHA256

    d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

    SHA512

    c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\filmora_setup_full846[1].exe
    Filesize

    3.0MB

    MD5

    964b99bc366deb23489b2abce715db15

    SHA1

    a40bca880b8bb27cefcb730e389ddac3cf792cc3

    SHA256

    e652ac2d16e23be1079b271d915dae2ffc3f5339e23740b1d6850018e0fd9d9b

    SHA512

    c8e261b396585ff6c10a1bf80ad22bfc21e39ac7e3a22de816923cdb9a2a18953ddfcf8d51e68cf72d47bc40018feffa97cf323317ad0702b58fdf726b13bfaf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CabDA8.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarD138.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log
    Filesize

    2KB

    MD5

    3aa88145d22e97bd6c2289adaccf957c

    SHA1

    6355a8a5dd1184ea5e005355e6965f59f8523a1e

    SHA256

    d6a9f769406119a52f25ae8b3e6169f3e488692ebb1cef387293fd9782567f11

    SHA512

    85f6d6fc599a726e931d535e027d697bbc55a50e42939d75ca9efc99eb26a1c3fbc8249ce43d2e8a5febc6335b693a37bddb3572537ad00c488c0223390989f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log
    Filesize

    4KB

    MD5

    3555f10b55e148296832e536e1d5d722

    SHA1

    07bc77c3c0828cbee80038e48d1319182481ff18

    SHA256

    574c68c8d4e4deb7f861f3b2ea5e4ac35924869482cc0501b5a8c03ca348e242

    SHA512

    3d76906a1ccb1fcf1488a68c72aeb0462c21ec760b922fe56e005299960cbe1f945599aad7d8d09d3f20871fd535698c26ac21f1fdd88113e4296b75e69e5a6a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    3KB

    MD5

    c10362b0a0bd9af71ef992f621ab7505

    SHA1

    aff12cc58413fa6a270b115157d59b08752bdfa8

    SHA256

    dd924d04f2be5eb19543ded901b782d9d67ec7d2541b41e3f2c7da44318a7c06

    SHA512

    f0ae37cd4c1ccb40061a98d89be26cc905595eaa885b26a89267d620ef8041864fcf806adc63182581cf77d34dcab3c58e81b25b17bdfc497666294bb2105dfb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    4KB

    MD5

    134c6d8e2d4df3ab69a3e098abc9af77

    SHA1

    8f6675a6bcdfa6c224b7c6918f45fd517a49d9de

    SHA256

    3941defa32acd83809f9a2e966b597b65ac8a1fb123ef5197b91c99dd61bb83d

    SHA512

    5a3423e23f55db733a4047f921729f84e3c7214f75e75e12bb44b4580a4fb4edfa6ff37c554253f6e05c5bbf391f87c097b5ffc12531fa6148a25e5b7fe504c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    4KB

    MD5

    0fe73565c09ebae6882e3616f38f70eb

    SHA1

    0cecf629ccf89b0851894846b0e4fcb55ed616d0

    SHA256

    44c598356efb2a220f12df1dd8cc4686e632d07d8e688349e524fbe505c4ddd5

    SHA512

    3a08e1ec17296c40b291e7b07ceab4994c57f6fcd5020a5696c0e010f48fd82759b7b270a91d640c267ce73ca17c85d17b9e1109fcef65c0ca80b7b7571c7848

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B3VSO66W.txt
    Filesize

    606B

    MD5

    a7bcc9b60721b7bcab2d97304cd5c3ed

    SHA1

    65f57ddd8b437bcf4de94cfa6bf62f4934bccd58

    SHA256

    b1d3c5638ea03c11a9d5cd0b8b7d883b29acf0fe0122292b6fe276588929ae7e

    SHA512

    bda29d25975fb2c4c5c6b3ac6d94d5c1584c9bce458bddc5cc86e571b8e81fc977591e2bb14a60b48420de74139cc157de7d4b8e7a14f84d69e91b1af2196861

    Download Submit
  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    Filesize

    7KB

    MD5

    27cfb3990872caa5930fa69d57aefe7b

    SHA1

    5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

    SHA256

    43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

    SHA512

    a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

    Download Submit
  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    Filesize

    7KB

    MD5

    27cfb3990872caa5930fa69d57aefe7b

    SHA1

    5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

    SHA256

    43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

    SHA512

    a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

    Download Submit
  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
    Filesize

    229B

    MD5

    ad0967a0ab95aa7d71b3dc92b71b8f7a

    SHA1

    ed63f517e32094c07a2c5b664ed1cab412233ab5

    SHA256

    9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

    SHA512

    85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

    Download Submit
  • \Users\Public\Documents\Wondershare\NFWCHK.exe
    Filesize

    7KB

    MD5

    27cfb3990872caa5930fa69d57aefe7b

    SHA1

    5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

    SHA256

    43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

    SHA512

    a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

    Download Submit
  • memory/900-60-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/900-59-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/900-58-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/900-57-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/900-54-0x0000000000A10000-0x0000000000A24000-memory.dmp
    Filesize

    80KB

    Download
  • memory/900-56-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/900-55-0x0000000004160000-0x00000000041A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2560-1248-0x0000000000E20000-0x0000000000E28000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2560-1250-0x0000000000A80000-0x0000000000B00000-memory.dmp
    Filesize

    512KB

    Download