f48e56c42692554d0d7ea29f62c01a8302b39e711e763245c9abe45adffbc850

Analysis

max time kernel
57s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StormRushInstaller.rar
Size

68.1MB
MD5

b38792aefa88d03d6ad5b9ecd4c926a7
SHA1

ff3973d8d1f126e7b8b1a14305ea6b13c3c7383f
SHA256

f48e56c42692554d0d7ea29f62c01a8302b39e711e763245c9abe45adffbc850
SHA512

17122077f3532a151bdb01ec810c50ecb39de434107469973eb88f98460683f912c2666055cb98c85d27917a72c774f476fee62280b80840e8be2255218270b9
SSDEEP

1572864:elC+2WJpCBOq+0eo4Jd3FgUx+ZbvmhkSjOpZ:egHRYCCBxwbvmBOT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
676	rundll32.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe
676	rundll32.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 676	912	cmd.exe	28
PID 912 wrote to memory of 676	912	cmd.exe	28
PID 912 wrote to memory of 676	912	cmd.exe	28
PID 1924 wrote to memory of 980	1924	chrome.exe	30
PID 1924 wrote to memory of 980	1924	chrome.exe	30
PID 1924 wrote to memory of 980	1924	chrome.exe	30
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 524	1924	chrome.exe	32
PID 1924 wrote to memory of 1488	1924	chrome.exe	33
PID 1924 wrote to memory of 1488	1924	chrome.exe	33
PID 1924 wrote to memory of 1488	1924	chrome.exe	33
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34
PID 1924 wrote to memory of 1528	1924	chrome.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\StormRushInstaller.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\StormRushInstaller.rar
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:676
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\StormRushInstaller.rar"
    3⤵
    PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69a9758,0x7fef69a9768,0x7fef69a9778
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:2
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2372 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:2
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2300 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3916 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4036 --field-trial-handle=1244,i,6895750770170137939,16347239137828850564,131072 /prefetch:8
  2⤵
  PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:324

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9be6a8f28606c82768fe3355706766ac

SHA1
b896de1ddd34ea88d82d696259a3f3ae6d8176f4

SHA256
7cb9db285d5a333b0907477e4745849d5aff08f405b7522e58a2bf4f5b6f8e85

SHA512
61b292446c73f3d1086eb1f95e31eaeaa48179502e807c02e7f5123e991309e40a541a83020a4f10e56bbbfefc9985125b83a922438e949bebc00aedb8806e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5c444ea78077bd54b9cb4ab5bbe72b98

SHA1
08bcbeedeea8b8fe0f63726077f0079cf7030b27

SHA256
83490be20e9bfd02426668e3e007dcd2e9a8f994ed18bb9e4ef192bcb26e213e

SHA512
ed43e16adb23657e37880bbbde2686a432186b30e18dca6439c377294da0a83c5051cfd1e3f2530cf4be004ef66d40b090519e44c78756c61f40feac469a1003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d5cf308285e0b42e33ff6b2b1d3e7e2d

SHA1
fa1fcef2616f563ecf97c9edd0014fc7d7ee3de5

SHA256
7bb570e0f6270139303a3711193580ccf43f573c792dce017d7303e0fdf6f33b

SHA512
6bcd74193d6c8bda135774a54a1873e0a117a0af5bac993d93321d2ab888380516efde3c09e22bcf8f5f4bdc9e4f1385b48d79f77c0188870c15a934b6549158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
15b09f4cb1e690930a6f48a88dc1f67a

SHA1
d7eb86cdd9f5b3a8907bb8f748322eba147df428

SHA256
6366599551680c40a89fb8e6d193309840e381ee108ea1c76cb55b447eb5122c

SHA512
3ae8320e282ed16961bda3b57ac74becd05c65afbd4e3937cd271d91bf1f382755e50cdc43f4bda95b802127894d78766e83f09a1ea8c96c816f51d3806ea683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
memory/676-165-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/676-166-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download