Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    02/07/2023, 01:17

General

  • Target

    Kirsty.rar

  • Size

    4.3MB

  • MD5

    e54137334330ff4695cd5799b4bfde69

  • SHA1

    3f7d989f6131bb7ba708b40f11aa9e0095aab9b9

  • SHA256

    af9de83cb2e2057b6fd253f18b2543a33d796c74d3b781e636708c5e39a58799

  • SHA512

    136275f5039d08edc37a659caaed14148b3c208fad14b37db354a382b4b38a9a617ad8c0574fab3f7a21737b45700f1eee16e734d8f2a8aff46e3672477760d2

  • SSDEEP

    98304:L7G7XeeLqbQ3l3nQqB+gDSYWG1XvcjAxU9Sc40XUZ2dk0zMA1iN:vqva23nQ+jS5G1kjAxUNpQcXiN

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Kirsty.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Kirsty.rar
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Kirsty.rar"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:472
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1544
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x52c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1616

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/472-83-0x000000013F750000-0x000000013F848000-memory.dmp

            Filesize

            992KB

          • memory/472-84-0x000007FEF5A30000-0x000007FEF5A64000-memory.dmp

            Filesize

            208KB

          • memory/472-86-0x000007FEFB390000-0x000007FEFB3A8000-memory.dmp

            Filesize

            96KB

          • memory/472-85-0x000007FEF5460000-0x000007FEF5714000-memory.dmp

            Filesize

            2.7MB

          • memory/472-87-0x000007FEF5A10000-0x000007FEF5A27000-memory.dmp

            Filesize

            92KB

          • memory/472-88-0x000007FEF59F0000-0x000007FEF5A01000-memory.dmp

            Filesize

            68KB

          • memory/472-89-0x000007FEF59D0000-0x000007FEF59E7000-memory.dmp

            Filesize

            92KB

          • memory/472-90-0x000007FEF59B0000-0x000007FEF59C1000-memory.dmp

            Filesize

            68KB

          • memory/472-91-0x000007FEF5990000-0x000007FEF59AD000-memory.dmp

            Filesize

            116KB

          • memory/472-92-0x000007FEF5970000-0x000007FEF5981000-memory.dmp

            Filesize

            68KB

          • memory/472-93-0x000007FEF4280000-0x000007FEF532B000-memory.dmp

            Filesize

            16.7MB

          • memory/472-94-0x000007FEF4080000-0x000007FEF4280000-memory.dmp

            Filesize

            2.0MB

          • memory/472-95-0x000007FEF4040000-0x000007FEF407F000-memory.dmp

            Filesize

            252KB

          • memory/472-96-0x000007FEF4010000-0x000007FEF4031000-memory.dmp

            Filesize

            132KB

          • memory/472-97-0x000007FEF3FF0000-0x000007FEF4008000-memory.dmp

            Filesize

            96KB

          • memory/472-98-0x000007FEF3FD0000-0x000007FEF3FE1000-memory.dmp

            Filesize

            68KB

          • memory/472-99-0x000007FEF3FB0000-0x000007FEF3FC1000-memory.dmp

            Filesize

            68KB

          • memory/472-100-0x000007FEF3F90000-0x000007FEF3FA1000-memory.dmp

            Filesize

            68KB

          • memory/472-101-0x000007FEF3F70000-0x000007FEF3F8B000-memory.dmp

            Filesize

            108KB

          • memory/472-102-0x000007FEF3F00000-0x000007FEF3F11000-memory.dmp

            Filesize

            68KB

          • memory/472-103-0x000007FEF3EE0000-0x000007FEF3EF8000-memory.dmp

            Filesize

            96KB

          • memory/472-104-0x000007FEF3EB0000-0x000007FEF3EE0000-memory.dmp

            Filesize

            192KB

          • memory/472-105-0x000007FEF3E40000-0x000007FEF3EA7000-memory.dmp

            Filesize

            412KB

          • memory/472-106-0x000007FEF3DD0000-0x000007FEF3E3F000-memory.dmp

            Filesize

            444KB

          • memory/472-107-0x000007FEF3DB0000-0x000007FEF3DC1000-memory.dmp

            Filesize

            68KB

          • memory/472-108-0x000007FEF3D50000-0x000007FEF3DA6000-memory.dmp

            Filesize

            344KB

          • memory/472-109-0x000007FEF3D20000-0x000007FEF3D48000-memory.dmp

            Filesize

            160KB

          • memory/472-110-0x000007FEF3CF0000-0x000007FEF3D14000-memory.dmp

            Filesize

            144KB

          • memory/472-111-0x000007FEF3CD0000-0x000007FEF3CE7000-memory.dmp

            Filesize

            92KB

          • memory/472-112-0x000007FEF3CA0000-0x000007FEF3CC3000-memory.dmp

            Filesize

            140KB

          • memory/472-113-0x000007FEF3C80000-0x000007FEF3C91000-memory.dmp

            Filesize

            68KB

          • memory/472-114-0x000007FEF3C60000-0x000007FEF3C72000-memory.dmp

            Filesize

            72KB

          • memory/472-115-0x000007FEF3C30000-0x000007FEF3C51000-memory.dmp

            Filesize

            132KB

          • memory/472-116-0x000007FEF3C10000-0x000007FEF3C23000-memory.dmp

            Filesize

            76KB

          • memory/472-117-0x000007FEF3BF0000-0x000007FEF3C02000-memory.dmp

            Filesize

            72KB

          • memory/472-118-0x000007FEF3AB0000-0x000007FEF3BEB000-memory.dmp

            Filesize

            1.2MB

          • memory/472-119-0x000007FEF3A80000-0x000007FEF3AAC000-memory.dmp

            Filesize

            176KB

          • memory/472-120-0x000007FEF38C0000-0x000007FEF3A72000-memory.dmp

            Filesize

            1.7MB

          • memory/472-121-0x000007FEF3860000-0x000007FEF38BC000-memory.dmp

            Filesize

            368KB

          • memory/472-122-0x000007FEF3840000-0x000007FEF3851000-memory.dmp

            Filesize

            68KB

          • memory/472-123-0x000007FEF37A0000-0x000007FEF3837000-memory.dmp

            Filesize

            604KB

          • memory/472-124-0x000007FEF3780000-0x000007FEF3792000-memory.dmp

            Filesize

            72KB

          • memory/472-125-0x000007FEF3540000-0x000007FEF3771000-memory.dmp

            Filesize

            2.2MB

          • memory/472-126-0x000007FEF32C0000-0x000007FEF33D2000-memory.dmp

            Filesize

            1.1MB

          • memory/472-127-0x000007FEF3500000-0x000007FEF3535000-memory.dmp

            Filesize

            212KB

          • memory/472-128-0x000007FEF34D0000-0x000007FEF34F5000-memory.dmp

            Filesize

            148KB

          • memory/472-129-0x000007FEF34B0000-0x000007FEF34C1000-memory.dmp

            Filesize

            68KB

          • memory/472-130-0x000007FEF3250000-0x000007FEF32B1000-memory.dmp

            Filesize

            388KB

          • memory/472-131-0x000007FEF3490000-0x000007FEF34A1000-memory.dmp

            Filesize

            68KB

          • memory/472-132-0x000007FEF3230000-0x000007FEF3242000-memory.dmp

            Filesize

            72KB

          • memory/472-133-0x000007FEF3210000-0x000007FEF3223000-memory.dmp

            Filesize

            76KB

          • memory/472-134-0x000007FEF3170000-0x000007FEF320F000-memory.dmp

            Filesize

            636KB

          • memory/472-135-0x000007FEF3150000-0x000007FEF3161000-memory.dmp

            Filesize

            68KB

          • memory/472-136-0x000007FEF3040000-0x000007FEF3142000-memory.dmp

            Filesize

            1.0MB

          • memory/472-137-0x000007FEF3020000-0x000007FEF3031000-memory.dmp

            Filesize

            68KB

          • memory/472-138-0x000007FEF3000000-0x000007FEF3011000-memory.dmp

            Filesize

            68KB

          • memory/472-139-0x000007FEF2FE0000-0x000007FEF2FF1000-memory.dmp

            Filesize

            68KB

          • memory/472-140-0x000007FEF2FC0000-0x000007FEF2FD2000-memory.dmp

            Filesize

            72KB

          • memory/472-141-0x000007FEF2FA0000-0x000007FEF2FB8000-memory.dmp

            Filesize

            96KB

          • memory/472-142-0x000007FEF2F80000-0x000007FEF2F96000-memory.dmp

            Filesize

            88KB

          • memory/472-143-0x000007FEF2F50000-0x000007FEF2F79000-memory.dmp

            Filesize

            164KB

          • memory/472-144-0x000007FEF2F30000-0x000007FEF2F42000-memory.dmp

            Filesize

            72KB

          • memory/472-145-0x000007FEF2F10000-0x000007FEF2F21000-memory.dmp

            Filesize

            68KB

          • memory/472-146-0x000007FEF2EF0000-0x000007FEF2F01000-memory.dmp

            Filesize

            68KB