Analysis
-
max time kernel
901s -
max time network
906s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows -
submitted
06-04-2023 22:23
Static task
static1
Behavioral task
behavioral1
Sample
FullVersionG5_Setup_2023_As_PassKey.rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
FullVersionG5_Setup_2023_As_PassKey.rar
Resource
win10v2004-20230220-es
General
-
Target
FullVersionG5_Setup_2023_As_PassKey.rar
-
Size
19.5MB
-
MD5
325269d3b8c7c2057812eded13784d47
-
SHA1
bc8acc9988dde2f8691ea4de439701d590880cf3
-
SHA256
6e80a4fc6708c4afd1992257a56f2060a4d3ec0d03076c8e4644f86d6bdb37cb
-
SHA512
7c49de177716f863ade22672cd46cdc3a733949471ea663d19ab16720bf079f00f93d4b8d0a6c0c8e278e617b4472ca16115f71ce47fcaf08965c1a4babb319e
-
SSDEEP
393216:uh7aPjot+wiTtIyio6OnwFzi6gQbXULHWqgh4MCvQjw7mhr:OaPsMwkGyi5KFvxtghcQjWmN
Malware Config
Extracted
raccoon
13718a923845c0cdab8ce45c585b8d63
http://45.15.156.143/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
aaSatup.exeaaSatup.exepid process 1872 aaSatup.exe 688 aaSatup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
aaSatup.exeaaSatup.exepid process 1872 aaSatup.exe 1872 aaSatup.exe 688 aaSatup.exe 688 aaSatup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aaSatup.exeaaSatup.exepid process 1872 aaSatup.exe 688 aaSatup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 1692 7zG.exe Token: 35 1692 7zG.exe Token: SeSecurityPrivilege 1692 7zG.exe Token: SeSecurityPrivilege 1692 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1692 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1120 wrote to memory of 1184 1120 cmd.exe rundll32.exe PID 1120 wrote to memory of 1184 1120 cmd.exe rundll32.exe PID 1120 wrote to memory of 1184 1120 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FullVersionG5_Setup_2023_As_PassKey.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FullVersionG5_Setup_2023_As_PassKey.rar2⤵
- Modifies registry class
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\" -spe -an -ai#7zMap28318:128:7zEvent245221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exeFilesize
1953.7MB
MD59d7c498278c6f174862aa4ff3ae7fec2
SHA102fc01d52e0fffe126b773e084921ace6d687a15
SHA256776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404
SHA512d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49
-
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exeFilesize
1953.7MB
MD59d7c498278c6f174862aa4ff3ae7fec2
SHA102fc01d52e0fffe126b773e084921ace6d687a15
SHA256776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404
SHA512d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49
-
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exeFilesize
1953.7MB
MD59d7c498278c6f174862aa4ff3ae7fec2
SHA102fc01d52e0fffe126b773e084921ace6d687a15
SHA256776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404
SHA512d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49
-
memory/688-158-0x0000000000400000-0x0000000002186000-memory.dmpFilesize
29.5MB
-
memory/1872-143-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1872-145-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1872-144-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1872-146-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1872-147-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1872-148-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1872-149-0x0000000000400000-0x0000000002186000-memory.dmpFilesize
29.5MB