42f583af7f0546b8f889c98c31e743c1968216e3853562ea323390a5750cc899

General

Target

IDA_Pro_7.7/ida64.exe
Size

4.0MB
MD5

24ba0b4e0a3445a6c2fb866d94669f05
SHA1

3b6bf89f5ec4b19266260fd488ae720a90f1865d
SHA256

70840575ebddb25412f6de60329d5d395b325b709df9202411b723d0744c9624
SHA512

dcbd7babaa0de562a0a6682c3c0b053c419ddc2e78d6a0213c081a5ca50a256a720d0c6cbf3b2de669a5410918dfeb2d7d4fc29b23ae3285103c8e3c2be8b2b0
SSDEEP

49152:GQptxtn8v9flRURQXyczsoBR9RAzkdk9ltnv2UtxOpYjObpJWYcmD75zoELxnXAm:GitxMR4QuoBPRAzz9lRvMVtdwdZro6m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	ida_keygen.exe
5036	ida_keygen.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3412	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3192	ida64.exe
1032	ida64.exe
2936	qwingraph.exe
1940	ida.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3192	ida64.exe
956	7zFM.exe
1032	ida64.exe
1940	ida.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	ida64.exe
Token: SeRestorePrivilege	1980	7zG.exe
Token: 35	1980	7zG.exe
Token: SeSecurityPrivilege	1980	7zG.exe
Token: SeSecurityPrivilege	1980	7zG.exe
Token: SeRestorePrivilege	956	7zFM.exe
Token: 35	956	7zFM.exe
Token: SeDebugPrivilege	1032	ida64.exe
Token: 33	3836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3836	AUDIODG.EXE
Token: SeDebugPrivilege	1940	ida.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3192	ida64.exe
1980	7zG.exe
956	7zFM.exe
1032	ida64.exe
1032	ida64.exe
1032	ida64.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3192	ida64.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
2124	OpenWith.exe
1032	ida64.exe
2936	qwingraph.exe
1940	ida.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1444	3348	cmd.exe	95
PID 3348 wrote to memory of 1444	3348	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida64.exe
"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida64.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\" -spe -an -ai#7zMap20195:114:7zEvent2934
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_key_cmd.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_key_cmd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe
  ida_keygen.exe -v 770 -u "Hex-Rays SA" -e "[email protected]" -t Floating
  2⤵
  - Executes dropped EXE
  PID:1444

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen_src.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:956

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida64.exe
"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida64.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\qwingraph.exe
"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\qwingraph.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida.exe
"C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\ida.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_key_cmd.bat

Filesize
85B

MD5
1b45ad559eb8d1237c68f0207299a23d

SHA1
c34cbfb42218361b026671839bf75f5cca4c9aeb

SHA256
7f1d3f2d8910f8e70d90f57fc55ccc2683282cce5cd934b7aa1805e19be2c2b8

SHA512
c9031f8abccb22a2a123baa4500cdd7f75c2972769ba3426deea74feb92b972ef2b8e2a89e7c69ef4463a9affc9b2cb65c5aa8f851715d4634bd076ce307d109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe

Filesize
5.3MB

MD5
971e315a8e333fec0cacfcc0ac685cd0

SHA1
2ca18486c54ad032f52f899e626b02ed601e40c8

SHA256
5cb5901d8c7a768173b9553e0dd2a05f688686ce11657ec9a792ae29efdc3903

SHA512
965f35a55aa077212acd36952dca8251dd53a3769f93397ea3bb0ba0cc9685c9b987d5c483a172c97942fc2f5ca0709a7b1c4075a70167af50e0773edf2199e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe

Filesize
5.3MB

MD5
971e315a8e333fec0cacfcc0ac685cd0

SHA1
2ca18486c54ad032f52f899e626b02ed601e40c8

SHA256
5cb5901d8c7a768173b9553e0dd2a05f688686ce11657ec9a792ae29efdc3903

SHA512
965f35a55aa077212acd36952dca8251dd53a3769f93397ea3bb0ba0cc9685c9b987d5c483a172c97942fc2f5ca0709a7b1c4075a70167af50e0773edf2199e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen.exe

Filesize
5.3MB

MD5
971e315a8e333fec0cacfcc0ac685cd0

SHA1
2ca18486c54ad032f52f899e626b02ed601e40c8

SHA256
5cb5901d8c7a768173b9553e0dd2a05f688686ce11657ec9a792ae29efdc3903

SHA512
965f35a55aa077212acd36952dca8251dd53a3769f93397ea3bb0ba0cc9685c9b987d5c483a172c97942fc2f5ca0709a7b1c4075a70167af50e0773edf2199e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA_Pro_7.7\Keygen\ida_keygen_src.7z

Filesize
6KB

MD5
e942c6417c2882446fecdcd2167de3f5

SHA1
e5d4221f8f79384dc56f99ca68f628506338ff02

SHA256
85343d9ad040822122cdf57f671997c6d39eb8ced8253a3ed12e86ec13da2210

SHA512
c206d48513e36c717a13f00188c594ca7db26cd2c1f084cb7676066b127e3e48a269320b0100c8b1aa9edda5f788b8cfe50c0c744a8fa3cb22b125111f9dc222

Download Submit
C:\Users\Admin\AppData\Roaming\BinDiff\bindiff.json

Filesize
9KB

MD5
0b11b9074b8387ea00eb8255d3678956

SHA1
79452b0f80051a1bba448625dfc519b2ad0b0fcc

SHA256
9358b3d6e8a872c438f89055a0b8313749c6266ad159c5db024147781be80f98

SHA512
ba3121efa9011af7fbb6047e64a7e54a3a299976f7731439234ece3d3a88676db661ee1ec512b7a8e92f638fd73dffd7edbd879957daa40b8f824f8368881505

Download Submit
memory/1032-160-0x00007FF7EFA70000-0x00007FF7EFE6F000-memory.dmp

Filesize
4.0MB

Download
memory/1032-158-0x00007FF7EFA70000-0x00007FF7EFE6F000-memory.dmp

Filesize
4.0MB

Download
memory/1032-166-0x00007FFCAEE10000-0x00007FFCAEE37000-memory.dmp

Filesize
156KB

Download
memory/1032-165-0x00007FFCAEE10000-0x00007FFCAEE37000-memory.dmp

Filesize
156KB

Download
memory/1032-164-0x000001AAEE6B0000-0x000001AAEE6E6000-memory.dmp

Filesize
216KB

Download
memory/1032-163-0x000001AAEE6B0000-0x000001AAEE6DE000-memory.dmp

Filesize
184KB

Download
memory/1032-161-0x000001AAE97C0000-0x000001AAE97D0000-memory.dmp

Filesize
64KB

Download
memory/1032-159-0x00007FFCAC720000-0x00007FFCACC76000-memory.dmp

Filesize
5.3MB

Download
memory/1444-154-0x00000241A0090000-0x00000241A00A0000-memory.dmp

Filesize
64KB

Download
memory/1940-169-0x00007FFCAC720000-0x00007FFCACC76000-memory.dmp

Filesize
5.3MB

Download
memory/1940-170-0x00007FF7B65A0000-0x00007FF7B699F000-memory.dmp

Filesize
4.0MB

Download
memory/1940-175-0x00007FFCAF500000-0x00007FFCAF527000-memory.dmp

Filesize
156KB

Download
memory/1940-174-0x00000295BA040000-0x00000295BA076000-memory.dmp

Filesize
216KB

Download
memory/1940-173-0x00000295BA040000-0x00000295BA06E000-memory.dmp

Filesize
184KB

Download
memory/1940-172-0x00000295B5320000-0x00000295B5330000-memory.dmp

Filesize
64KB

Download
memory/1940-171-0x00007FF7B65A0000-0x00007FF7B699F000-memory.dmp

Filesize
4.0MB

Download
memory/2936-168-0x0000022F32FF0000-0x0000022F33000000-memory.dmp

Filesize
64KB

Download
memory/2936-167-0x00007FFCAC720000-0x00007FFCACC76000-memory.dmp

Filesize
5.3MB

Download
memory/3192-133-0x00007FFCAC350000-0x00007FFCAC8A6000-memory.dmp

Filesize
5.3MB

Download
memory/3192-141-0x00007FFCACF60000-0x00007FFCACF87000-memory.dmp

Filesize
156KB

Download
memory/3192-140-0x00000204D1CC0000-0x00000204D1E91000-memory.dmp

Filesize
1.8MB

Download
memory/3192-139-0x00007FFCACF60000-0x00007FFCACF87000-memory.dmp

Filesize
156KB

Download
memory/3192-138-0x00000204D1EB0000-0x00000204D1EE6000-memory.dmp

Filesize
216KB

Download
memory/3192-137-0x00000204D1EB0000-0x00000204D1EDE000-memory.dmp

Filesize
184KB

Download
memory/3192-134-0x00007FF7EFA70000-0x00007FF7EFE6F000-memory.dmp

Filesize
4.0MB

Download
memory/3192-135-0x00000204CCCF0000-0x00000204CCD00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing