0f0eefc7cea45d05d3a7b9f05c4e902bd4508b286e460c046af3df417c32d841

Analysis

max time kernel
130s
max time network
179s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
08/05/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZModeler.2.2.6.rar
Size

5.3MB
MD5

e7f42859c0243b01cccf6ba3cbea562e
SHA1

85ac5356dfe6909c6470bb66fb558572c9ab9c39
SHA256

0f0eefc7cea45d05d3a7b9f05c4e902bd4508b286e460c046af3df417c32d841
SHA512

cd4cbfb0989ead5d445d83a09fb40b343167f64e782cf4ae23694526f63d38958f5abed070bb9dfc491047bb38c08190899e156755ee300572187fc6cd9a8aa1
SSDEEP

98304:lwDYcfONtaRXQvxDVdkFdnpEM0CukttcddJ4mFiqO+67vKJtwIHZ:lwDYcGuQiRzZMT2mFrQzotwIHZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5028	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5016	OpenWith.exe
4304	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4304	7zFM.exe
Token: 35	4304	7zFM.exe
Token: SeRestorePrivilege	5084	7zG.exe
Token: 35	5084	7zG.exe
Token: SeSecurityPrivilege	5084	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4304	7zFM.exe
5084	7zG.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5016	OpenWith.exe
5016	OpenWith.exe
5016	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 5028	4304	7zFM.exe	76
PID 4304 wrote to memory of 5028	4304	7zFM.exe	76
PID 4304 wrote to memory of 5084	4304	7zFM.exe	77
PID 4304 wrote to memory of 5084	4304	7zFM.exe	77

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZModeler.2.2.6.rar
1⤵
- Modifies registry class
PID:1104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4568

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5028
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\vcredist2012_x64_1_vcRuntimeAdditional_x64\" -ad -an -ai#7zMap23398:102:7zEvent11916
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ConfirmUndo.css

Filesize
318KB

MD5
b3be02364c9f11d98b57a6d40d220b7b

SHA1
520a9bb1191c939a669103727a38cdefb53d89c4

SHA256
edeefcfa01e0d6308b59b0542766a08cac23f46149a172117a66a1224a9efe95

SHA512
99d3df9630049af12070743270472bb1c1caba47c9305aff230bb62e43728e8e4a247950e1b2efc9de26c62fda81a31277f6cd804ab54c06130b1b39652998e2

Download Submit
C:\Users\Admin\Desktop\ConfirmUpdate.shtml

Filesize
291KB

MD5
576086d0485c552515f1dc4207d8ea43

SHA1
646458d7429686376de1ff1358705ca1dd4407f6

SHA256
adb37434befbcc6168256d0ee560dc24eed6c2279a59d8e95cbca5cd3008d30e

SHA512
94ddb204ab1d4d23e9a14d3a345e0fb9733a668f7d40b0615c7f6396d353908988573836b1cc8b8390db5d5d242d2e9a60b33a7b3ed33cb7af621a380f94cb61

Download Submit
C:\Users\Admin\Desktop\DebugSend.001

Filesize
182KB

MD5
5d42b2c5eb07748e6a583339b0580b34

SHA1
4e30d7e6e82d7ac2e3842d24075b7a7dd3f12663

SHA256
94f9847e1e3cff841193a595a76350adcf3513dcc4aa4136c1e15e31288f6e4b

SHA512
0282fb4ff8fe84ed7ff2baac5009814a9da5dcd7103d25b854b475f2d189adbcd898c06d8383e70cc8a117a53405015b926b26145ea7db33da51847935d4a3f0

Download Submit
C:\Users\Admin\Desktop\EditRegister.pot

Filesize
413KB

MD5
0f00206c848bdba89c10135909be627a

SHA1
d5853fcbe63c04324bee4536bbf7cd191b239e81

SHA256
14686078b03a78bb6fd209c6064e51b55c69319e916811d7f73ff2adb9d78590

SHA512
ccb79fbb45d15c4d0348c59e0f01154ae77e9c800214d7f5620e53d97523347a9f5533d95d99e9483ecc6151d024610bffcab72950b175c722d2d7925e802bc2

Download Submit
C:\Users\Admin\Desktop\EnableClose.mov

Filesize
359KB

MD5
7e66edbcf7b26ad97ade2de1c1dfc547

SHA1
407ee72d1b34a63fad21ce640e2741175715673a

SHA256
5cf5dc46b708d324c5fe1d8cbc196b978c262d58d330dc05636e286b8692a4e6

SHA512
c87dbdc1ae3dcdae0b6af80524929c0ffd6422e0ec718c0904eb52dde610409e2eb105ef52d02a7643170e002a3d5918d870fa896ffeb638186ab6bfbb650b24

Download Submit
C:\Users\Admin\Desktop\EnableSelect.vstm

Filesize
304KB

MD5
c1bf76b5105d449c965d8f3c5cf85ae9

SHA1
a15bd2056d6205b46a7bf54c4c1676e72d76c391

SHA256
5f3af1509d5a7224acdb608ac5657db5a58afd0db631e1686e6f3bf09c6457df

SHA512
84d9430dffc1309b33252084707962e14723074f31ec339ec15692734db7587af9090191cdf9af19b8707404b5db775c5dd184cc79b882c190136db303c98593

Download Submit
C:\Users\Admin\Desktop\EnableUnlock.wmx

Filesize
237KB

MD5
256ac16cf73725b45f9b23c486fe922c

SHA1
2fdd60a3a57a15b14204781ec802c882c0e7edf9

SHA256
faf72cfd047c441317d58ba4c480ba7decdb6a7541f3abca1c412cbd25e0283b

SHA512
40a234ea316b5278eb49556ceb9802257b2bc0b3f8b4d69006b714f8432eb97579b59619f6724ff61421f306138632c179fd94c2a9e63a62ab518835631f3b93

Download Submit
C:\Users\Admin\Desktop\EnterMove.kix

Filesize
196KB

MD5
231a5b6efb9bc944ebb49265a734016e

SHA1
52275ae5d9c7d89ca7217173ee2d585d63d67f14

SHA256
92065bfc4493a2f26018f7cbd9df28bd4b35bf19b98ae123b861ea4baaa7b1ac

SHA512
0a2ce4fd10cdf01b1aef90d24284806a0c3a6df12c8746dc24ba68de7f106361ccce48bcae12f64a480e6be2a05f050ebcfe0e170dd02273c6fcb3900aa76699

Download Submit
C:\Users\Admin\Desktop\ExitUnblock.mpeg

Filesize
250KB

MD5
b9223c3e732f7b4808d149badfa96ef2

SHA1
4ac794d27527a0150b46cdc04df3392c27960ec7

SHA256
eea248a47a536b588d52e4da6b88e39e8cc0ac8d0266264715ad844de1fea5e0

SHA512
9a32fe9ff867240ff534bcc0cf5433df434b2675d64324a78221f3ca4f18f893ed7d6663398598eb126444ae4d5ad9f46123e482d18e7de3bb77e04255cd68b8

Download Submit
C:\Users\Admin\Desktop\ExpandUse.jpeg

Filesize
386KB

MD5
24febc93248c60ada6329f879a195bca

SHA1
9128dddc0fc5802f2610d77400e97eaf8c6ef600

SHA256
fcb8734d59a95a723764c2aef110d5f38022b343d94e72c300e2ebc450fe6e36

SHA512
76733da15d63cb237223091f562e1a47e5de72c797669cad89af7340554a1674202d67ec68828003fd9e68643b56dc673a5e4fc075e9c5c5b1650d7b7bfb0c96

Download Submit
C:\Users\Admin\Desktop\ExportDisable.mpg

Filesize
169KB

MD5
4d68dd937638bda05a46816294c7f64b

SHA1
0b192c02fa7e3ecfa32741de3af49b893d93bc42

SHA256
967b8995afce3a83957bf01e62e7860c795b7b86c4d0e5c2b0bd97a56247194d

SHA512
1f9b9d293e45ef2cbcd98ea5f92b12937ad45b6df06c82351cb49d412c7173a6d547ee6170ccca03a3b15cd8d614df755637f6d1af9cc6ec3ec8008e2dfd7327

Download Submit
C:\Users\Admin\Desktop\FindRestore.dotm

Filesize
440KB

MD5
6251b387a8bd370e586a9eccc29df63d

SHA1
a34eb61e278246849cc713348ff7fbee5a941f5d

SHA256
4e166b7f29064c41a524ebefb81b37183d7d11a07071f4f1171dab2784148659

SHA512
71dcf722dd60570ead8718418c3422fc77bae6b293968a8fafb2b2d70157736982bf395d87eb7649b7fa31afd90b0f4412b9cf9ccdce0c09f06bbaeaa97ba69b

Download Submit
C:\Users\Admin\Desktop\GetNew.clr

Filesize
210KB

MD5
d9d4f3bb14bb62bf00b0781579b5bd9d

SHA1
74bbf8d4beaeb14f8bcecd8ac3405b79902ff571

SHA256
b60a7f5fdaffb1032e5c4d1a281cc320b96f05b36237afb00658612987a79581

SHA512
f5d2fe0c934eb008e19e48274dfef2aa2bbfa5e4bb75dc2afa4ae1c8e5f5d0fa60a07d9483d4aa8fa06d10ea97c10c28ca4fd210e153ae760f2851fc2433d19e

Download Submit
C:\Users\Admin\Desktop\LimitUndo.ram

Filesize
223KB

MD5
9f95e309f5681ec9e7c372128fc7661a

SHA1
6e7539ba9adb9e2960b2ef6884bccccc9ad5780a

SHA256
91907f028371e6d5c67bd102e5b0e7226e8ffbb0c60ceb8bc28362e7c4a1cd6c

SHA512
c86888c29d377e551627ef0a511253d7dcede3a86da5d3175cc8b2d27b30748ca67a4693bf6599a1e2f5a031e5c662aee9df249a2b78004b870e4f8aba378ae9

Download Submit
C:\Users\Admin\Desktop\OpenExit.pcx

Filesize
609KB

MD5
ab72b80256775f49ec3e9c5d1839d42c

SHA1
ac8994a8967da9dcc05558f47806b0f73bb2923c

SHA256
7ac8a92f3834a3d0278597b144d4eaf087dbce5b19c0392cfa68ca945dfda72e

SHA512
f0e37fda1fd6af7e2837d905a9bb3f7b3758a8922dd9b1c0fa0204dfe233ac255648a91af1173717a401f98f8734df9181f28f9a35199552d0cca71beb74efb9

Download Submit
C:\Users\Admin\Desktop\PingConvertFrom.ico

Filesize
372KB

MD5
e35c5e69152272a19dfba40e0f105da5

SHA1
55a98a699c8b8dd6b18fb537079326d14c1a3510

SHA256
1687a65283759e69d5e2ab3cc64c78b9d6795f8d7ed4fd7e38275d340d8235da

SHA512
2d38c3c4267f2aad5dd63f79f78aafa51402f0e97b7dcb914fb6f66a61f39e15d206c7cdf17223853954cbba77b9962728ea8a54fce308aa577ee6f34b138dc0

Download Submit
C:\Users\Admin\Desktop\ProtectWait.vssm

Filesize
331KB

MD5
73e9defd60539827a288f312545f9f1f

SHA1
3c2da412b5e4af6e2494eca6920fed4006a719a4

SHA256
be01eb1bbdf698b3ab9c56bd14ad6a8831459a4393a2b4d46c1036ab72952250

SHA512
549683a985886216590d78ae3fe5899787f3d2947428bfcc4f90ced93372cc246ebb1a15f5a3b08ec7739b009175ac288cc99572cb3eb15a62701e0fd3897edf

Download Submit
C:\Users\Admin\Desktop\RequestConvertTo.DVR-MS

Filesize
155KB

MD5
a28e8a143d7d95f627b163369326d0f8

SHA1
94d2cf93ac9b310410ffaaaa9d41327246a6f0b4

SHA256
04ef0ff233f642df6db272e39e49749ef4e380b8a5dab0dfc5e93527c003b76f

SHA512
73cf6a6d70be288cf15af1e18ec02daa8673440ea233f38963b5176bc323f8d1232ed8f8c027e0d452996328b24e82bb7c412d188ee16c6b9abad3eb220d7148

Download Submit
C:\Users\Admin\Desktop\SplitOpen.raw

Filesize
264KB

MD5
0eb74845e1f0c1511314c244ceec5f6d

SHA1
6492c64dad6b079195786738c9a67696cd67a912

SHA256
02e83ec3ef76b84a0a45023a873cc7d2f8fe3794a9adcba9acc08910b2d39cc7

SHA512
96c7dcc20f4f283a54e944837baea7cbb7ecdea62127c66895f6fe030f8a3d2cde86c13e568328ed927b954c58d87116b4b6f13847f015ae52ce828f05fcd20e

Download Submit
C:\Users\Admin\Desktop\StartEnable.M2V

Filesize
345KB

MD5
beb6445c5214e0f3c99c51d3d57c4ce1

SHA1
58a17a283a8325e3012f2089c8c55bbabeb02437

SHA256
c8412b04bb9ef3871662748fbabc69ab5e6d43976370ee53276542bbd0c3c2dd

SHA512
1cbfb41c4c618657d76901c7add937f0f894dc746f788bcbc811ef20124ae422bd56674f65d5d215c58931cf61a0d960d3872375fd9997619a062f899211278c

Download Submit
C:\Users\Admin\Desktop\UndoGrant.dotm

Filesize
277KB

MD5
9425935dc5bd1fc99bedeffb42abb1ce

SHA1
54fa6af8233b7353b8bc7cfbd5c76716b220103e

SHA256
2e620863619099c4b2bf4b38197bae3318368a4012b08eed56092bb2c3afcdcd

SHA512
5135b265a0281d2e7edf79f7754c6513aacbb44351df255eddc4106606077d323ce7440d7fb91c78672470274a00e6389af743a5f44c0a34eb850610d6097f23

Download Submit
C:\Users\Admin\Desktop\UpdateRestart.gif

Filesize
399KB

MD5
e1ef892efce4115514510fdd6fece75b

SHA1
a0547f063a34a6d714f57acc09921480ea832f57

SHA256
b0dd8fc5433458f587d255f60f46b034b067f413c299512bde05d365c38f3193

SHA512
db24d98512fa14f4f9c3a86e99db4f08602343af363bffb1321d4b552671744bf7510e50a6fb83d8462b60fc6f6f1d2c2a3cda6143b0274b49252eaf4eddaa90

Download Submit
C:\Users\Admin\Desktop\WaitUnprotect.m4a

Filesize
426KB

MD5
1fbf879eb0871d2e4d726c81cf1daf0e

SHA1
a312795edd16093c39d3d5566125e031af548ec5

SHA256
8bffc789844d953151781cdd92c28f94342885b82f788c01b287ce7ce3a0e5c6

SHA512
b0146b32f3dfc7df885712ec6c47f8c535e85822934b44906bd127ccaca9c5d22e241500ab553247612654ec4c1cfc74b38335920d6af1fdb7cd4097a8faedec

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
5ecbb06717f462da15f407b9908ff34b

SHA1
7ec4b6152378ecac57efd193497c18226d47d83f

SHA256
f9224fb5fc01e3bdaa789fa19f90e63203776e8614769f81afc2fcf859af1038

SHA512
1c4fe6e1226c502fdc245b81364d3e98d35424f224774384fe29913df3207abd2a19583edeb359fff0215b937efc8866bb487a4be97c712fddcff0513d47d6c0

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
d28c1414ff0026ddd670db5ab6578785

SHA1
7d5a16facdf1908f0c9c83197cac04a59f5fc971

SHA256
b07721083bdbbfbcacb4e53264addb6b2ee31860c2823c53ea3e72f51d11f892

SHA512
d21e72763ed9527c087abd1441644071cb95850392f31c6b728c13226e98ea7533fe40fd523e36c6a777a82aa82c787e359bd976bdba802d52374a26b903fefb

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
b44e2121612244c1e3a392551feb374b

SHA1
df3ea2a8ece1a8f9f17ff961371dc18255e9c379

SHA256
597bb3efbfee0e4a6b6369c6c6a7881a519eeff1dde95165d9f2a80052997a40

SHA512
c9a0496aef67c1dc1a4bd82d31cb8618fd3c00b490c3cf8dc7016d9e4a0988f9f7cc0bf87236e8fa3d81d1076d0b7651be3a5489b1adca3f8bed00679b2a2be2

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
2feef89f2ebe031a4d2447c955b3b107

SHA1
35a14410fcaea659335f3e443a4995e64531815f

SHA256
04e0f406f40d794399a47a27e21dd3384768f796c665f6add515da7f09ec5f23

SHA512
c3119dd4cd2a3420f174d2bcf3ce92dfca9f2971655fbac98618d427fea610aac7842af6b46b35ca47d6adcf293d5606bee0e3201ed9b358d44d99a2765c840d

Download Submit