Analysis
-
max time kernel
1552s -
max time network
1559s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-es -
resource tags
arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
01-04-2023 02:17
Static task
static1
Behavioral task
behavioral1
Sample
PremiumFileT13-Pass-55551.rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
PremiumFileT13-Pass-55551.rar
Resource
win10v2004-20230221-es
General
-
Target
PremiumFileT13-Pass-55551.rar
-
Size
24.5MB
-
MD5
a75ef1b830c86a85166dbfa99d0338ed
-
SHA1
d8b478e0461d4008c59b71aaf6298bd61469acd9
-
SHA256
1ed375dc67ad8c245211d0fde7b1d8d068268cafef26162fffb95eb5037578d7
-
SHA512
a25cc94b8b3239fbf44e6d7ba1a832636cc143e8d28fa47efea2bd8e653749192f22e2a01ed264134ffbdf20084d1d9cfc148e9481075dc129333170b8894405
-
SSDEEP
786432:Jgl+WaEcSSZKuS+HScq4p86auFhFJ6EeM41OrvnAGlif2X5XkA:WM7jj1SEqC86xWEAOfHZ50A
Malware Config
Extracted
raccoon
ee2a3d190100b91c20d8bc284238dda6
http://45.15.156.144/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
setup.exezxcvyponmgqwsdh.exepid process 992 setup.exe 1248 zxcvyponmgqwsdh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
setup.exezxcvyponmgqwsdh.exepid process 992 setup.exe 992 setup.exe 1248 zxcvyponmgqwsdh.exe 1248 zxcvyponmgqwsdh.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7zG.exe7zG.exedescription pid process Token: SeRestorePrivilege 4712 7zG.exe Token: 35 4712 7zG.exe Token: SeSecurityPrivilege 4712 7zG.exe Token: SeSecurityPrivilege 4712 7zG.exe Token: SeRestorePrivilege 1964 7zG.exe Token: 35 1964 7zG.exe Token: SeSecurityPrivilege 1964 7zG.exe Token: SeSecurityPrivilege 1964 7zG.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exe7zG.exepid process 4712 7zG.exe 1964 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 820 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PremiumFileT13-Pass-55551.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\" -spe -an -ai#7zMap22340:108:7zEvent63471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\" -spe -an -ai#7zMap13042:136:7zEvent209681⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile.rarFilesize
24.5MB
MD55018a5ffdcc6968e87e16e9ec1a288f2
SHA1ff728b148b31441714e6bb2b9a4e84ab733f06ab
SHA2568cad46796d0cab522a2ac3a936b716759810e20cb75136356845015ce452bff6
SHA512ab8fbe092624553ec5185a610093ab6251cbd2b4dddd4441d0d70c85c8399035345076027de58176e4e12eb2a04987a8198b39393bba363b30b7ab453618811f
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exeFilesize
2012.7MB
MD59385ae1045691a4c0fd1a49ba1abf11d
SHA106da2e8533efdd665e686240f6dbf87ddaab62de
SHA256e96197337a6754e2fcf1529218886d2eab7d9159a2d4e4d709fcd129e7c45fa5
SHA51218156fbc6ec5b2c6d83ee0c8dfe8be599f9ebe95466e0968d730ac761e1f46bde24c3153621575c16739e7cb899fb364ebbb39b68ded4e9636759125f588dc7e
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exeFilesize
2012.7MB
MD59385ae1045691a4c0fd1a49ba1abf11d
SHA106da2e8533efdd665e686240f6dbf87ddaab62de
SHA256e96197337a6754e2fcf1529218886d2eab7d9159a2d4e4d709fcd129e7c45fa5
SHA51218156fbc6ec5b2c6d83ee0c8dfe8be599f9ebe95466e0968d730ac761e1f46bde24c3153621575c16739e7cb899fb364ebbb39b68ded4e9636759125f588dc7e
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exeFilesize
12.7MB
MD53c97da8c3cfa06ef01fe2cb3350684ab
SHA199aa331eaeca57d671320bebf655e3bcd34ae919
SHA2560fe9a62c38022f4904b600a0b7e8329ab2acdeb54193e03a6502b2ade27a8f9a
SHA51255f7521002370efbedce92825bbf972e8c89fd6621658308017ef224eb4d83ba7214f46b17ee88e0cf40e01b0480d4389c773c4752eb31c4214590ef4850392c
-
C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exeFilesize
12.7MB
MD53c97da8c3cfa06ef01fe2cb3350684ab
SHA199aa331eaeca57d671320bebf655e3bcd34ae919
SHA2560fe9a62c38022f4904b600a0b7e8329ab2acdeb54193e03a6502b2ade27a8f9a
SHA51255f7521002370efbedce92825bbf972e8c89fd6621658308017ef224eb4d83ba7214f46b17ee88e0cf40e01b0480d4389c773c4752eb31c4214590ef4850392c
-
memory/992-146-0x0000000001A90000-0x0000000001A91000-memory.dmpFilesize
4KB
-
memory/992-147-0x0000000000400000-0x0000000001A89000-memory.dmpFilesize
22.5MB
-
memory/1248-149-0x0000000001BF0000-0x0000000001BF1000-memory.dmpFilesize
4KB
-
memory/1248-150-0x0000000000400000-0x0000000001A89000-memory.dmpFilesize
22.5MB