Overview
overview
10Static
static
34life kopa...!).rar
windows10-1703-x64
34BOT.exe
windows10-1703-x64
10CShauto.dll
windows10-1703-x64
1Cryptolens...ng.dll
windows10-1703-x64
1Emgu.CV.World.dll
windows10-1703-x64
1Guna.UI2.dll
windows10-1703-x64
1MySql.Data.dll
windows10-1703-x64
1Newtonsoft.Json.dll
windows10-1703-x64
1TheEyes.dll
windows10-1703-x64
1cvextern.dll
windows10-1703-x64
3Resubmissions
25/04/2023, 13:06
230425-qb6mwacc7x 1025/04/2023, 12:56
230425-p6tq5aad89 1025/04/2023, 12:54
230425-p5dzaacc5s 10Analysis
-
max time kernel
71s -
max time network
67s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25/04/2023, 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4life kopalnia (vmka RAT!!!!).rar
Resource
win10-20230220-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
4BOT.exe
Resource
win10-20230220-en
windows10-1703-x64
23 signatures
150 seconds
Behavioral task
behavioral3
Sample
CShauto.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
Cryptolens.Licensing.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
Emgu.CV.World.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Guna.UI2.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
MySql.Data.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
Newtonsoft.Json.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
TheEyes.dll
Resource
win10-20230220-en
windows10-1703-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
cvextern.dll
Resource
win10-20230220-en
windows10-1703-x64
1 signatures
150 seconds
General
-
Target
4life kopalnia (vmka RAT!!!!).rar
-
Size
15.8MB
-
MD5
cbb1d251d53f06f2120315be4f1f60a7
-
SHA1
f6faa01170df8e05a1d1e05ec2a3a2d572a7aee2
-
SHA256
a64f74746190a2da55afe7b5b6a95e826c6aa70afda165b276489d1738783631
-
SHA512
c3bc93d17d396a6f38b3fca7cb3154275b6029d8af000a699e19001b55d4bda6466b114e69bd0c3b1a84c8c72aa0e12d8a55500e5b81ab4b9df0011d9514e95b
-
SSDEEP
393216:Sj9LbXygD9TU8xdbNpDCYTGxirRLEeu6C:SRLb79IkdJpDCIeiFLEeu6C
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\rar_auto_file\shell\open OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.rar\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\rar_auto_file\shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005456228f1000372d5a6970003c0009000400efbe5456228f5456228f2e000000afa50100000008000000000000000000000000000000b488250037002d005a0069007000000014000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications\7z.exe\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\rar_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\rar_auto_file\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications\7z.exe\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications\7z.exe OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.rar OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Applications\7z.exe\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1840 OpenWith.exe 4700 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 3808 7z.exe Token: 35 3808 7z.exe Token: SeRestorePrivilege 4700 7zFM.exe Token: 35 4700 7zFM.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe 1840 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1840 wrote to memory of 3808 1840 OpenWith.exe 68 PID 1840 wrote to memory of 3808 1840 OpenWith.exe 68
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4life kopalnia (vmka RAT!!!!).rar"1⤵
- Modifies registry class
PID:1232
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\4life kopalnia (vmka RAT!!!!).rar"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4400