556bc78a58f48fb0422b320c6ca0f3bf3e1b0d5e00609cb656313cb5896b7817

Resubmissions

14/04/2023, 05:54

230414-gmdxkage27 7

14/04/2023, 05:53

230414-glspbshh6x 3

14/04/2023, 05:52

230414-gkt6rsgd97 3

14/04/2023, 05:49

230414-gjbyssgd86 3

Analysis

max time kernel
52s
max time network
50s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/04/2023, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hogwarts_legacy.torrent
Size

377KB
MD5

b20fa7a9151c40c44a3768053c3ea587
SHA1

b34017a9be0f3d5a26977b5093f7419e76f44d13
SHA256

556bc78a58f48fb0422b320c6ca0f3bf3e1b0d5e00609cb656313cb5896b7817
SHA512

7a894335de9e1494ade12ea3c11360a7813f6f558737cf3132293b011978bd3eab6a99121d5e008f69b7b5c4ef3fe37408a0c0931fd5d5cdb88cb0b08f4750df
SSDEEP

6144:hhJM2mip4k2nYWAM4eyywSzMXEwO5VThBSaWdoU8w1mWTUGW:hQu4k2jAMX58Ep5VthWPAP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.torrent	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.torrent\ = "torrent_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\torrent_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
564	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
300	AcroRd32.exe
300	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 564	2008	cmd.exe	28
PID 2008 wrote to memory of 564	2008	cmd.exe	28
PID 2008 wrote to memory of 564	2008	cmd.exe	28
PID 564 wrote to memory of 300	564	rundll32.exe	29
PID 564 wrote to memory of 300	564	rundll32.exe	29
PID 564 wrote to memory of 300	564	rundll32.exe	29
PID 564 wrote to memory of 300	564	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hogwarts_legacy.torrent
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\hogwarts_legacy.torrent
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hogwarts_legacy.torrent"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:300

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads