Analysis
-
max time kernel
1232s -
max time network
1236s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows -
submitted
10-05-2023 22:15
Static task
static1
Behavioral task
behavioral1
Sample
Open_Setup_Use_2023_As_PassWord.rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
Open_Setup_Use_2023_As_PassWord.rar
Resource
win10v2004-20230220-es
General
-
Target
Open_Setup_Use_2023_As_PassWord.rar
-
Size
17.7MB
-
MD5
ec63229d00684415d591cef854167dd2
-
SHA1
73afa5c05b2cb0c3a9d0ca279e610f24c10968b5
-
SHA256
5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f
-
SHA512
9b3541f4d9eb6d7a54a37371492e559cbe1281f79d042829a60f2a96148762361ea33e6030574433153025c964956cface47bdcc6f4130e53973081d33bf507b
-
SSDEEP
393216:uaMZMSMm7fFnlDU6iqvz0DVjzeqDJdQIWOgSn5xMuortdTKX7Ev7QPXYVqbJ:uaClf/w6h709RDJxL5GsI7QgAl
Malware Config
Extracted
raccoon
8ed6e26daba8160b1050248b4a36291b
http://37.220.87.69
http://83.217.11.13
http://94.142.138.126/
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
+Setup.exepid process 364 +Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
+Setup.exepid process 364 +Setup.exe 364 +Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
+Setup.exepid process 364 +Setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 1236 7zG.exe Token: 35 1236 7zG.exe Token: SeSecurityPrivilege 1236 7zG.exe Token: SeSecurityPrivilege 1236 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1236 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1368 wrote to memory of 1100 1368 cmd.exe rundll32.exe PID 1368 wrote to memory of 1100 1368 cmd.exe rundll32.exe PID 1368 wrote to memory of 1100 1368 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar2⤵
- Modifies registry class
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\" -spe -an -ai#7zMap2291:120:7zEvent92061⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exeFilesize
1550.3MB
MD5ddb9346458f3d52e9cd7311ebba05621
SHA1a7a1e5285e89f76e6977bb2f933261ed0dec28b0
SHA25615dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc
SHA512e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14
-
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exeFilesize
1550.3MB
MD5ddb9346458f3d52e9cd7311ebba05621
SHA1a7a1e5285e89f76e6977bb2f933261ed0dec28b0
SHA25615dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc
SHA512e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14
-
memory/364-143-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/364-145-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/364-144-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/364-147-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/364-146-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/364-148-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/364-149-0x0000000000400000-0x0000000001DF6000-memory.dmpFilesize
26.0MB