6fba3a266639de2e75def408f50ed3c886f9541724bf8db0f1fa276538e8c093

Analysis

max time kernel
71s
max time network
65s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File-Slime.Rancher.v1.4.4_108560.exe
Size

14.2MB
MD5

24df7ad59eabbe35724e792e7a2ee529
SHA1

08eb769ae922185b7746fb358249ca11bf3916b9
SHA256

6fba3a266639de2e75def408f50ed3c886f9541724bf8db0f1fa276538e8c093
SHA512

583bfc20533b9c1763cfe4181971bc8ccdb044564f276c89d87bd02095f9c1246668f6b688dca7ad3ed093d7780508053932f9732681a8d4a3022dc5f2ae71dd
SSDEEP

393216:RSFiOb2vyWNWPcCPMKxMnxE6X7HL6xEjccfLExHuDJsv6tWKFdu9CN:RSFiOb2H7HL6Sp

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	GORGEOUSqSystem.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	GORGEOUSqSystem.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	GORGEOUSqSystem.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	GORGEOUSqSystem.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	GORGEOUSqSystem.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	GORGEOUSqSystem.exe

Executes dropped EXE 1 IoCs

pid	Process
1352	GORGEOUSqSystem.exe

Loads dropped DLL 5 IoCs

pid	Process
1640	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe
1352	GORGEOUSqSystem.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	GORGEOUSqSystem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	GORGEOUSqSystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	GORGEOUSqSystem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	GORGEOUSqSystem.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
748	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	File-Slime.Rancher.v1.4.4_108560.exe
Token: SeDebugPrivilege	1640	File-Slime.Rancher.v1.4.4_108560.exe
Token: 33	2036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2036	AUDIODG.EXE
Token: 33	2036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2036	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
748	File-Slime.Rancher.v1.4.4_108560.exe
1640	File-Slime.Rancher.v1.4.4_108560.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1640	748	File-Slime.Rancher.v1.4.4_108560.exe	26
PID 748 wrote to memory of 1640	748	File-Slime.Rancher.v1.4.4_108560.exe	26
PID 748 wrote to memory of 1640	748	File-Slime.Rancher.v1.4.4_108560.exe	26
PID 748 wrote to memory of 1640	748	File-Slime.Rancher.v1.4.4_108560.exe	26
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27
PID 1640 wrote to memory of 1352	1640	File-Slime.Rancher.v1.4.4_108560.exe	27

C:\Users\Admin\AppData\Local\Temp\File-Slime.Rancher.v1.4.4_108560.exe
"C:\Users\Admin\AppData\Local\Temp\File-Slime.Rancher.v1.4.4_108560.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\File-Slime.Rancher.v1.4.4_108560.exe
  "C:\Users\Admin\AppData\Local\Temp\File-Slime.Rancher.v1.4.4_108560.exe" /restr
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe
    "C:\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1352

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\Program Files (x86)\GORGEOUSSeedphoSystem\GORGEOUSqSystem.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\Program Files\7-Zip\7zFM.exe

Filesize
935KB

MD5
d36deceeb4c9645aab2ded86608d090b

SHA1
912f4658c4b046fbadd084912f9126cb1ae3737b

SHA256
018d74ff917692124dee0a8a7e6302aecd219d79b049ad95f2f4eedea41b4a45

SHA512
9752a9e57dd2e6cd454ba6c2d041d884369734c2b62c53d3ec4854731c398cd6e25ac75f7a55cda9d4b4c2efb074cb2e6efcbf3080cd8cc7d9bc8c9a25f62ff2

Download Submit