Analysis
-
max time kernel
1615s -
max time network
1619s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows -
submitted
06-04-2023 02:15
Static task
static1
Behavioral task
behavioral1
Sample
Active_Version_Fully_Setups.rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
Active_Version_Fully_Setups.rar
Resource
win10v2004-20230221-es
General
-
Target
Active_Version_Fully_Setups.rar
-
Size
12.4MB
-
MD5
f588b0444462c53360663ac435c60449
-
SHA1
76bc144accf885d58cf3d814e1e00fe0c9f00455
-
SHA256
968c44669316afd10647241ac2ec0fb93791863d3b41075be3f382b093fa516c
-
SHA512
0238e5634adaf0f31b648f76face0759a4329d5a138206da943af993e160137e813b728efa49fa4be1a5a3e8318e9573ff6715f1be80a769ca53b731865a16dc
-
SSDEEP
196608:I/XrZIOLnKVrhzzAhebMXdPmsdKE4VzolZ6AOv3uMbwWwtO7ufVE07oXEt2B2Ah:I6CE1zuOMNPFKE4V61OPnbwF60+Fh
Malware Config
Extracted
raccoon
13718a923845c0cdab8ce45c585b8d63
http://45.15.156.143/
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Satups.exepid process 1136 Satups.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Satups.exepid process 1136 Satups.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7zG.exe7zG.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 288 7zG.exe Token: 35 288 7zG.exe Token: SeSecurityPrivilege 288 7zG.exe Token: SeSecurityPrivilege 288 7zG.exe Token: SeRestorePrivilege 1008 7zG.exe Token: 35 1008 7zG.exe Token: SeSecurityPrivilege 1008 7zG.exe Token: SeSecurityPrivilege 1008 7zG.exe Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exe7zG.exepid process 288 7zG.exe 1008 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1084 wrote to memory of 1700 1084 cmd.exe rundll32.exe PID 1084 wrote to memory of 1700 1084 cmd.exe rundll32.exe PID 1084 wrote to memory of 1700 1084 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Active_Version_Fully_Setups.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Active_Version_Fully_Setups.rar2⤵
- Modifies registry class
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Active_Version_Fully_Setups\" -spe -an -ai#7zMap27036:112:7zEvent306181⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey\" -spe -an -ai#7zMap28553:172:7zEvent251451⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey\Satups.exe"C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey\Satups.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey.rarFilesize
12.4MB
MD5d202535c0f306eb5e9a48e4c485aa43c
SHA14edb450cddba3e1d23193d2e410dad523b9628a8
SHA256fb77a5db32893c770edb5cfe63e6a4c4759f66f3e02399a9b7ef5e5eb9e30770
SHA512f9d6a39645cc211f837775cf8ad907461dc6ebdb91151e07aadfce4cf3ae858fbd8e533036a2ad9215881100c00d2ddd0e088c5731d5d063e14fd92ff0c16a29
-
C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey\Satups.exeFilesize
1772.7MB
MD5e6ba3f3877cd9ffaac15dc36f1236687
SHA1dc06cd17f6346575018c73f4d33909fe7975d83b
SHA256f6911a4bc65c9ec2806376d8d5db2cdbef38b02737c5ac496afa96a99a5c7e9e
SHA51225acf005c09b360df00ddb1a9149a9abf49ee750cb3e697b7ebe39cf136d91e620b20045af180f6c56f5cca856ca733809f8398a7a4983824c246db6f9cbafb9
-
C:\Users\Admin\Desktop\Active_Version_Fully_Setups\Active_Setups_2023_As_PaSsKey\Satups.exeFilesize
1772.7MB
MD5e6ba3f3877cd9ffaac15dc36f1236687
SHA1dc06cd17f6346575018c73f4d33909fe7975d83b
SHA256f6911a4bc65c9ec2806376d8d5db2cdbef38b02737c5ac496afa96a99a5c7e9e
SHA51225acf005c09b360df00ddb1a9149a9abf49ee750cb3e697b7ebe39cf136d91e620b20045af180f6c56f5cca856ca733809f8398a7a4983824c246db6f9cbafb9
-
memory/1136-89-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1136-91-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1136-90-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1136-92-0x0000000000400000-0x0000000001A90000-memory.dmpFilesize
22.6MB