Analysis
-
max time kernel
94s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-de -
resource tags
-
submitted
01/04/2023, 14:19
General
-
Target
raid tool (1).rar
-
Size
9.8MB
-
MD5
89c6b8f5314d832a3db9eaaa886cc951
-
SHA1
8ef2bcab2667c5e2b303c69c549e8533240b14c0
-
SHA256
2d7543689ee4879417e4583e7db2906024ac10fbfc3eeeeea008c7c1b3cfd698
-
SHA512
5d87aa8cd8de217d69e8cafabb0b73c73eef6087f6c54df464839218ef5fc5587e1ac73d21611733703aaec3e9fdd31e2aae3ba9236842ccc65f860f671b8ffa
-
SSDEEP
196608:x/lsFywYUO5aIUXqMnbE04TKCH9aa+IODhkZ/NZDOWSRxo/itSpgfuhytIQ6rr0T:HRw+5Q6MnbETTKI9P+zDhkl3SRxo1pgP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\raid tool (1).rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\raid tool (1).rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\raid tool (1).rar"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.0.561959658\679184234" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13274d01-28a5-45b0-85ad-2d41243aa04d} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 1932 1d00ef16558 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.1.487763844\1896720849" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b4119cb-a3ea-4542-8adf-9a36ad1726b5} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 2356 1d000f72b58 socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.2.2118266814\1114598933" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6480626f-7299-4d9b-903d-09c64d438a5e} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 3268 1d00de93f58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.3.765880830\1685196377" -childID 2 -isForBrowser -prefsHandle 1096 -prefMapHandle 3556 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42d263fc-06db-4f56-b251-9b68e2efa1af} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 3912 1d012e18558 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.5.2126944443\1195734595" -childID 4 -isForBrowser -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b428f5d7-01f2-44e7-b4e4-129fdbc8289a} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 4848 1d014735b58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.4.1896094533\1376701802" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4740 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f102940c-7e2d-4c2f-9243-8fda2a8de3bc} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 4712 1d0121d3e58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4192.6.1903395818\1717637816" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5068 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {473b75f6-89a9-4c9b-aa0e-94fe3be3f5e4} 4192 "\\.\pipe\gecko-crash-server-pipe.4192" 5264 1d014736158 tab4⤵
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\raid tool (1).rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\raid tool (1).rar"2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\Downloads\raid tool (1).rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\Downloads\raid tool (1).rar"2⤵
- Checks processor information in registry
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD54a7e87d34b1357fe3b0f157ff3a57d6c
SHA14a24ebe96218a5b78549e1273984e9ff619cb0e9
SHA25645efdf37fa097be413fe9e41a0177136787ca2814ec558e45226735777336e42
SHA512d58208ca6429650445cdc04bb736f7ac979fb732d30244e24e1bafcb86ddf25cea53d913f5152464b01c2cb78dc2a3ed0abd685c254a673b126ffae31ec2294a
-
Filesize
7KB
MD595212dced9aeb505b4133afc52194073
SHA160339e47dc7c05ebfbc7e5639ac61fa890beeb29
SHA256453a8d36989a2d82ca3d860bd23129bef9ecd1a016adec17e0d1045d9d5cb6db
SHA512046e715d748887c5634a82cc34bfb9965e08e945a6c8528f96b3763385b0de5912dd9439a9af1c04552d62246b1e8ebc83ddae544f762063b1d45cf4601e8f43
-
Filesize
6KB
MD51efd65cb02bf6fc3782e8856b2810f89
SHA122f8a4a041b696d4e1dd8785486b97f8ade3856b
SHA256b7c9992adaefb5f5a71c4cdf69123eb493ef1a37a95103e41e2cac910e0b5248
SHA5120d0ab4821eec5a15afd793c9f18b27877b049ebcc8eca6ecb27116351febbd7576dbb707c17ff0e220879b19e1a2355db4decfed50603c81b277c73c20315ffe
-
Filesize
7KB
MD54b9dbabc897d8ec525ee6f2c9022e87d
SHA118873e112e25ef5e1f8b626e81aca4151e2296c1
SHA25641a5dd7c9122b691f7c03d1134043c53bae48452971c4496692c6f668d5863e6
SHA51214dd78495c06025b582ff4decea348988e241b80fb43e0472d4e9a116f03f90ae2108d18fd8c359259cb437d6b5f3ccf12d7bf53d28940b0cd4f034e338e94ca
-
Filesize
6KB
MD52a5884d7402ff808be028f46ca8c6f23
SHA1f54135b1e1530a33aca6f722577d7a0078620910
SHA2568e1300e0ca1b4b1cba0e9da123914977019b67d6fb91dcd3b52d52b62f395a50
SHA5125573c787f658c6a606565f7eb59ddc615b5375e795b393aa2536a5e3dbca07a642b4f0cc5904dcec672e2444a2f1c6c38fd9e6931ecf018a39e1b461e90f8369
-
Filesize
7KB
MD5b8e3a3aff6ec59070bc007dd1e5fa711
SHA16f3f9f0cb065acb8992a198df881ed5d19e74ea2
SHA2562b4903884f3fdb2ed8df3b3ed0a4e9b3114e00f4613d6308121e892c1d218843
SHA51241645e3a6d8bb849139e8271e51ab1f379219b173431abbb635f95f76ce3ef1d89bdfaf5ff573980187df1fc8a340eeb8bcf29b6e5bf2fe604647d9ad07c5160
-
Filesize
7KB
MD518f579dcb01c985b96170deb60043033
SHA153fb3f075dcc1dd5f7aa85e282f41a9f5c68d5ad
SHA25629ad4aaee4ee673a5e1258f4a6787cb59b3f095032ea7f213326bb8e7f50f309
SHA512dbd54972f07068c6736a59751240de00a4cc0ff43e925ef1dc160c265423b496caac3015fa3c377af47ea5bc4bcefe00c89258dc037af2e708ac727caadfdd0c
-
Filesize
6KB
MD5108b97b1ff7efbdb1aecce96d55ff2e5
SHA1bb72b2e0c3d859fe5e821632307a32df331b55e1
SHA256c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e
SHA512e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc
-
Filesize
1KB
MD5dbd06628cfa8fd62c64d12b126b5f3fd
SHA11e35b2eb466542def46a13db3a8169409a8377da
SHA2565e87a3b43629e7f3a37a1c9dc2a211d37f7a7a4859eb917f0bed69c52f882b52
SHA5122e5eacae539a77997225990092c81c6618f0a40a5f4db937fc51d5f302189880e08e919da165eb5ea9f7d240e97580a209a5569f22d9edfa283c867329b7e6f3
-
Filesize
1KB
MD53a2e4200cfe37d0184b2abd924b5412b
SHA1593f2a7f240089762d4b49cfc93e318314905e51
SHA256b073d8fb5367308402c47204f533f547166bc61716830b5f8fc4c6cd28368456
SHA5124176779083c8754d146e88115742c1ea03bda7c55edba862c6218efa424bc830647c0635b18dc7f7ed0c5b5e4b1911f87665af8b6dd9407a2910aa89518d60e8
-
Filesize
9.8MB
MD589c6b8f5314d832a3db9eaaa886cc951
SHA18ef2bcab2667c5e2b303c69c549e8533240b14c0
SHA2562d7543689ee4879417e4583e7db2906024ac10fbfc3eeeeea008c7c1b3cfd698
SHA5125d87aa8cd8de217d69e8cafabb0b73c73eef6087f6c54df464839218ef5fc5587e1ac73d21611733703aaec3e9fdd31e2aae3ba9236842ccc65f860f671b8ffa