Resubmissions
01-04-2023 07:12
230401-h1ragshh9x 101-04-2023 07:00
230401-hsy1csge76 1001-04-2023 06:57
230401-hq4stshh51 1Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 06:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar
Resource
win10v2004-20230220-en
General
-
Target
http://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04d861b7864d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{451D703E-D06B-11ED-9F77-DAE3AE61CC88} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d19b1b7864d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c0000000002000000000010660000000100002000000034395c3e2f212cb127791d1f1be8487ca48c7b06d25a5479b284afecd47b2eb8000000000e8000000002000020000000f0653fd1efb1a8a79e28f6bab52bc51a94f9398fb5751c69cba7e1c9ec87e2fe2000000077554106456241bf483e8c1083a96de0530fa967c21eee291ace63684fa668b540000000aad43ec038c9cc222716b31bc55f1bf829d24782d80eacf222f4197965c662c4acab2bbf87470d06c6c360411550366e219011fa0a5f61ea219b703eb0c8184e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "438511042" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "438511042" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024248" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000a4d87a3a78f4e583f8462fee73e02ddf219c0616ffad5c8e2f4ac1f79724e100000000000e80000000020000200000002af6a73c50edcb928f05b384495d6b6d4585073ff0f87be8d437c3587d3c323020000000abc50e670e52d7d992f99084addaba4c9809d1cf45de2273d29706a8296453f5400000005a39b03c9f5eb8f17acfa7e6d51b5568ba44eb256f7c452d332e5167519ea5106d29f1bf64560201a5d1b39d7023cff4545f0d45dbd9f004e66934b05c96246a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{E4E51B59-8FF0-4AD9-8277-BC167E4A99B2}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024248" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1488 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
taskmgr.exepid process 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zG.exepid process 692 7zG.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
taskmgr.exe7zG.exe7zG.exe7zG.exe7zG.exedescription pid process Token: SeDebugPrivilege 2072 taskmgr.exe Token: SeSystemProfilePrivilege 2072 taskmgr.exe Token: SeCreateGlobalPrivilege 2072 taskmgr.exe Token: 33 2072 taskmgr.exe Token: SeIncBasePriorityPrivilege 2072 taskmgr.exe Token: SeRestorePrivilege 1524 7zG.exe Token: 35 1524 7zG.exe Token: SeSecurityPrivilege 1524 7zG.exe Token: SeSecurityPrivilege 1524 7zG.exe Token: SeRestorePrivilege 692 7zG.exe Token: 35 692 7zG.exe Token: SeSecurityPrivilege 692 7zG.exe Token: SeSecurityPrivilege 692 7zG.exe Token: SeRestorePrivilege 2684 7zG.exe Token: 35 2684 7zG.exe Token: SeSecurityPrivilege 2684 7zG.exe Token: SeRestorePrivilege 1720 7zG.exe Token: 35 1720 7zG.exe Token: SeSecurityPrivilege 1720 7zG.exe Token: SeSecurityPrivilege 1720 7zG.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
iexplore.exetaskmgr.exe7zG.exe7zG.exe7zG.exe7zG.exepid process 1096 iexplore.exe 1096 iexplore.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 1524 7zG.exe 692 7zG.exe 2684 7zG.exe 1720 7zG.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
taskmgr.exepid process 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe 2072 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1096 iexplore.exe 1096 iexplore.exe 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 1096 wrote to memory of 1728 1096 iexplore.exe IEXPLORE.EXE PID 1096 wrote to memory of 1728 1096 iexplore.exe IEXPLORE.EXE PID 1096 wrote to memory of 1728 1096 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackupSplit.bat1⤵
- Opens file in notepad (likely ransom note)
PID:1488
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\9450122433f74a869960ce9a02320619 /t 1576 /p 14881⤵PID:4960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4072
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap23296:72:7zEvent3261⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1524
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap16522:72:7zEvent84391⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:692
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap26551:72:7zEvent174421⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2684
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap23686:72:7zEvent55281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56.5MB
MD56305b5402391d1088f8086d21a24c241
SHA13eeac2dee953119bbe45eecd07c97833e97c9346
SHA25690b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43
SHA5123a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62
-
Filesize
56.5MB
MD56305b5402391d1088f8086d21a24c241
SHA13eeac2dee953119bbe45eecd07c97833e97c9346
SHA25690b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43
SHA5123a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62