Analysis
-
max time kernel
762s -
max time network
776s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows -
submitted
25-03-2023 18:37
Static task
static1
Behavioral task
behavioral1
Sample
Files_Password_1231.rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
Files_Password_1231.rar
Resource
win10v2004-20230220-es
General
-
Target
Files_Password_1231.rar
-
Size
17.0MB
-
MD5
c3b26e6add132ccdafc3c33b24ec7d30
-
SHA1
89f5f22204bc3c7f8e4c850174e83f5b43ff3b82
-
SHA256
4ef7df344ac90c22306329afce9ca1fc19c48165fd733623bb624dec9f59ca8a
-
SHA512
455d18db86719c38234e0b86d894572607fda71f8395b0f32578bfe2f5cd92247395be3b82b17028fdc3ce284bbe3d02b6895299a8103877877927a1c195a665
-
SSDEEP
393216:WScJ8nwMe9njP2YgI/6U986uM/s4RG55sVvouALvWyVJn:FcoW9j+O6UKY/s4R65LaC
Malware Config
Extracted
raccoon
01ce0bf18c5eb0152a13b2ee5d4d8adc
http://37.220.87.69
http://83.217.11.6
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cp_Setup.execp_Setup.exepid process 1716 cp_Setup.exe 1744 cp_Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
cp_Setup.execp_Setup.exepid process 1716 cp_Setup.exe 1716 cp_Setup.exe 1744 cp_Setup.exe 1744 cp_Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cp_Setup.execp_Setup.exepid process 1716 cp_Setup.exe 1744 cp_Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1180 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 1676 7zG.exe Token: 35 1676 7zG.exe Token: SeSecurityPrivilege 1676 7zG.exe Token: SeSecurityPrivilege 1676 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1676 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 268 wrote to memory of 1180 268 cmd.exe rundll32.exe PID 268 wrote to memory of 1180 268 cmd.exe rundll32.exe PID 268 wrote to memory of 1180 268 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Files_Password_1231.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Files_Password_1231.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Files_Password_1231\" -spe -an -ai#7zMap23308:96:7zEvent20931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exeFilesize
1269.6MB
MD56021a2138d3aac1aee27d8a521b26cb2
SHA147ae09c32bc0c1cc020e80522f6a94d565f6920d
SHA2569a4eb2b87174f19b1f23940363e0bb2d4a3e19d8cdb37d4a8de8ab70bc0135fc
SHA5128bcdc3b72f0c0e1d958e52d227f36c0509e8dbaf76a07f81aba40a1af1a5658c198cc040664ead31e8349d8554ebc6cd4c59ecd130ce97e8766b05c193a5a14a
-
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exeFilesize
1269.6MB
MD56021a2138d3aac1aee27d8a521b26cb2
SHA147ae09c32bc0c1cc020e80522f6a94d565f6920d
SHA2569a4eb2b87174f19b1f23940363e0bb2d4a3e19d8cdb37d4a8de8ab70bc0135fc
SHA5128bcdc3b72f0c0e1d958e52d227f36c0509e8dbaf76a07f81aba40a1af1a5658c198cc040664ead31e8349d8554ebc6cd4c59ecd130ce97e8766b05c193a5a14a
-
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exeFilesize
703.4MB
MD58a1fcdbe0bb02b8f0b121b6c201bcb7f
SHA18c38cbd10688e2c3cec899fd732aa6326d302b3e
SHA25674a6bc1a854e88bc843c428032580593bf902495f7fc7bffcac7cae2a528d82e
SHA51254bbbc56176ad84a4ee0a4448b3a96487a01444c08783bc7a7ed724702229a5bc804fa513ce725bc915ebc93d845958ee978b92d721449403ba9d58074b704db
-
memory/1716-142-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1716-143-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1716-144-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1716-145-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1716-146-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1716-147-0x0000000000400000-0x0000000001CAA000-memory.dmpFilesize
24.7MB
-
memory/1716-141-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1744-151-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1744-152-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1744-154-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1744-155-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1744-156-0x0000000000400000-0x0000000001CAA000-memory.dmpFilesize
24.7MB