Overview

overview

10

Static

static

10

database.tar

windows10-2004-x64

9

Resubmissions

30-07-2023 23:06

230730-23w4asbf54 10

30-07-2023 20:04

230730-ytlz7abc77 10

30-07-2023 20:00

230730-yqxyaabc67 10

Analysis

  • max time kernel
    182s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2023 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    database.tar

  • Size

    69.7MB

  • MD5

    ea91bffa35a90c625af0fa48b10b7efe

  • SHA1

    d6d3818f44d82c1e3e2933aa13e87c592d4e7670

  • SHA256

    35f81c70e570891c59d7fdcef17d22d6f6df913a0e30dcb1dd6fc42a38b48475

  • SHA512

    a9c53f487f3552fe7749ba0a9c79cf6a8b3c06794f7862b696c6e04f164cb0630791ed772120267e5c9c0276cc0efc4b269fa4629575df544bcd4f745954a74c

  • SSDEEP

    1572864:UvrzuXaQLrouRp2OztQNmsoF5bfq1oDRl6toF88B99ea7/KOAhi:QrzELrDhQ0soF5bm6d8A5n

Score
9/10
evasionransomwareupx

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\database.tar
    1⤵
    • Modifies registry class
    PID:4352
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4784
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 3692 -ip 3692
    1⤵
      PID:4652
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3692 -s 2584
      1⤵
      • Program crash
      PID:1140
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4708
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\database\" -spe -an -ai#7zMap31898:96:7zEvent30868
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1000
      • C:\Users\Admin\AppData\Local\Temp\database\TEMZ.exe
        "C:\Users\Admin\AppData\Local\Temp\database\TEMZ.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1304
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x408 0x3d8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4176
      • C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe
        "C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe
          "C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe" /cl C:\Users\Admin\AppData\Local\Temp\4491.tmp\ C:\Users\Admin\AppData\Local\Temp\4491.tmp\Scilexer.dll
          2⤵
          • Executes dropped EXE
          PID:5104
      • C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe
        "C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1428
      • C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe
        "C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3708
      • C:\Users\Admin\AppData\Local\Temp\database\Spark.exe
        "C:\Users\Admin\AppData\Local\Temp\database\Spark.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" -set nointegritychecks on
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:3736
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" -set testsigning on
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:1668

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\Scilexer.dll
        Filesize

        399KB

        MD5

        9092cc0fa27603c620df12b58c4c89df

        SHA1

        7b2e36fcf71aa8e20c3006a1ec001d50503a66e7

        SHA256

        6468cdf465b47c64ec621f548fff5e32ca24e21f50a331a17014f68006b12f0e

        SHA512

        a5a0d023cd06cc3b398b6929dfefb345d1ead3de54728b916e2c1c6a492a34ef610a0eedb55864b6f3d6f98fde2273223b4496a5a27b1b3ba87ba0baa6138419

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\Scilexer.dll
        Filesize

        399KB

        MD5

        9092cc0fa27603c620df12b58c4c89df

        SHA1

        7b2e36fcf71aa8e20c3006a1ec001d50503a66e7

        SHA256

        6468cdf465b47c64ec621f548fff5e32ca24e21f50a331a17014f68006b12f0e

        SHA512

        a5a0d023cd06cc3b398b6929dfefb345d1ead3de54728b916e2c1c6a492a34ef610a0eedb55864b6f3d6f98fde2273223b4496a5a27b1b3ba87ba0baa6138419

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\Scilexer.dll
        Filesize

        399KB

        MD5

        9092cc0fa27603c620df12b58c4c89df

        SHA1

        7b2e36fcf71aa8e20c3006a1ec001d50503a66e7

        SHA256

        6468cdf465b47c64ec621f548fff5e32ca24e21f50a331a17014f68006b12f0e

        SHA512

        a5a0d023cd06cc3b398b6929dfefb345d1ead3de54728b916e2c1c6a492a34ef610a0eedb55864b6f3d6f98fde2273223b4496a5a27b1b3ba87ba0baa6138419

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        35B

        MD5

        ed779a82f9e4fa00bbd57871cfd119f4

        SHA1

        4884d4c73a122fabb56cfd53f8f98297f841fe5d

        SHA256

        a46d836ea8dc173d0107ef2680784725734d3c346149fce5fd3faf0268123d21

        SHA512

        87cdd8f09faadcb126e0af336258f97996f0019a283f5ceae6da29ad9e60bb5b7350dfddcb30c5a165370dd27146856268f142612d74ad8624f6e5cf7f7ee265

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        103B

        MD5

        dbaf6017062b76b8d24c0b815a046c7f

        SHA1

        b2d0df3256abf6ba6fb2b83b0937271717e85bee

        SHA256

        29a006474dad628ca7da1490e8b45cf6303236562995877b47f858b26b0b10eb

        SHA512

        585bc74c24e5161c21e124f9de196887e5f79f6c0a90d66c3c00c677e8bb85a2dbe66cb0b19036942dac5823c6485e3c61035ddaad73f488f9bd67014e0277fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        140B

        MD5

        3cafd0055d7b74d6d3407961ffc05f3a

        SHA1

        337795e7664a95afb5a50fa482813e35bc2b5ab8

        SHA256

        ca3cbb85b7bcac77c94d6350bec4211b093869dea954c086fdde6140101c2730

        SHA512

        2eb2076fc9b1fc6bf43978b5a475e7ab960f8aa43f422eca83e5f402af13bb75e798a077d405f425bb1926371ec5d7701f55876bbcc2faf68201ed7b58f1e2f7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        172B

        MD5

        69efcd77dd98aa22cb4f9de0b5d22ca2

        SHA1

        fea53c77eeb78fe56e2260493027084879f1e2eb

        SHA256

        7acb733a836f4ff687a60a2afedd4a8ea85581174bb6bbb650f4748e49a28147

        SHA512

        4cddd3d2749f90f295ddfca211531e8e82566a1bd5c1eae851564b68fd38537977032612c6ed782e0d2be3d527d4fef66aec2ee8d0cfbb086e80b1f37c9bf299

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        188B

        MD5

        a5690667339a252290c546626192f1ec

        SHA1

        76dd8ca98c8df9bc3b8a900d19c257c14682ce94

        SHA256

        af228984c7a30cb42672ab7ecc376ddb996ec42e947033f411d2829cd5ea9f6f

        SHA512

        268d99f8086c9d1661277fafdb65839f20b0be9055eba5c570a57af6cbb7e71884efcaab04dec1763949408a87ae0b026dcee50d2ed9bc887dedcc67a6d0ab61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4491.tmp\settings.ini
        Filesize

        205B

        MD5

        df78fd0bd098092058689c464821549e

        SHA1

        b73d7debfb5706e6c0a87e14e446c82ce4cf616c

        SHA256

        efc6fda6c5fc5c7e8e5fbdce8f16d768c37783934c9f08e7ee4a33db4fc1f15a

        SHA512

        9b7f7822c04e16ae6d01e70056e46d61e168d268a5ed2df4c8d0307630ef262815e8ba7b6c6f8b213345a851560d8ee9369c8253e7614296d8ed1b8f14887250

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\Spark.exe
        Filesize

        495KB

        MD5

        181ee63003e5c3ec8c378030286ed7a2

        SHA1

        6707f3a0906ab6d201edc5b6389f9e66e345f174

        SHA256

        55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe

        SHA512

        e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\Spark.exe
        Filesize

        495KB

        MD5

        181ee63003e5c3ec8c378030286ed7a2

        SHA1

        6707f3a0906ab6d201edc5b6389f9e66e345f174

        SHA256

        55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe

        SHA512

        e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\TEMZ.exe
        Filesize

        145KB

        MD5

        e6168901057164d16298ef87a38efa66

        SHA1

        6299e0d6fdd292a49a881292cadfec443ed98825

        SHA256

        d67b2b20d9400ffb4415cb0ea40bd5d4652c662957cadd090d103f2976c12f4a

        SHA512

        4aecffe0e84d706ffc7c7535ade9ef0b5f51f3aca7b8e579ac2fd178685fd068662b79b3c5fd3acc312d6504d900591944c84e9c141c3ffd1b61aa8970fe0bec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\TEMZ.exe
        Filesize

        145KB

        MD5

        e6168901057164d16298ef87a38efa66

        SHA1

        6299e0d6fdd292a49a881292cadfec443ed98825

        SHA256

        d67b2b20d9400ffb4415cb0ea40bd5d4652c662957cadd090d103f2976c12f4a

        SHA512

        4aecffe0e84d706ffc7c7535ade9ef0b5f51f3aca7b8e579ac2fd178685fd068662b79b3c5fd3acc312d6504d900591944c84e9c141c3ffd1b61aa8970fe0bec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe
        Filesize

        1.3MB

        MD5

        27dd3186c5f51823aaf82b815a3abfd6

        SHA1

        c6ab78825bbdd53df4da2fc9a92601659ce05cb5

        SHA256

        f50d774a95901ee952e0f6a03b69ff3de9d92c5146a5f8bff49c7a666e8e7825

        SHA512

        44d36b4a68fad18ca73351c45e0d85a28011358782c23a8175847d41f4fed80578061cb5d63c63a657f788afa9d669e17d650dfb9f6cfcd4d4fa40c50fde403e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe
        Filesize

        1.3MB

        MD5

        27dd3186c5f51823aaf82b815a3abfd6

        SHA1

        c6ab78825bbdd53df4da2fc9a92601659ce05cb5

        SHA256

        f50d774a95901ee952e0f6a03b69ff3de9d92c5146a5f8bff49c7a666e8e7825

        SHA512

        44d36b4a68fad18ca73351c45e0d85a28011358782c23a8175847d41f4fed80578061cb5d63c63a657f788afa9d669e17d650dfb9f6cfcd4d4fa40c50fde403e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\Vbs_To_Exe.exe
        Filesize

        1.3MB

        MD5

        27dd3186c5f51823aaf82b815a3abfd6

        SHA1

        c6ab78825bbdd53df4da2fc9a92601659ce05cb5

        SHA256

        f50d774a95901ee952e0f6a03b69ff3de9d92c5146a5f8bff49c7a666e8e7825

        SHA512

        44d36b4a68fad18ca73351c45e0d85a28011358782c23a8175847d41f4fed80578061cb5d63c63a657f788afa9d669e17d650dfb9f6cfcd4d4fa40c50fde403e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe
        Filesize

        1.2MB

        MD5

        705a4e7994cd3e69ca2a80c58d7f5bf8

        SHA1

        b4f1f8029c7841b7614fd58d2c4fd5b4f1b2ea13

        SHA256

        08d19398b2f1e952797fdf7cef80b8d811c6f2f9801d5e25af800e8e7d323857

        SHA512

        af2d2ebf90922a79ae4d1df0958ff5650eb145c31307b1641d65b1c1d3539d9cfb14ddf83391e43e5be225ccbe3ca3ed54d25a3b06cb0688682833c99b79375d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe
        Filesize

        1.2MB

        MD5

        705a4e7994cd3e69ca2a80c58d7f5bf8

        SHA1

        b4f1f8029c7841b7614fd58d2c4fd5b4f1b2ea13

        SHA256

        08d19398b2f1e952797fdf7cef80b8d811c6f2f9801d5e25af800e8e7d323857

        SHA512

        af2d2ebf90922a79ae4d1df0958ff5650eb145c31307b1641d65b1c1d3539d9cfb14ddf83391e43e5be225ccbe3ca3ed54d25a3b06cb0688682833c99b79375d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\database\razorVirus_Builder.exe
        Filesize

        1.2MB

        MD5

        705a4e7994cd3e69ca2a80c58d7f5bf8

        SHA1

        b4f1f8029c7841b7614fd58d2c4fd5b4f1b2ea13

        SHA256

        08d19398b2f1e952797fdf7cef80b8d811c6f2f9801d5e25af800e8e7d323857

        SHA512

        af2d2ebf90922a79ae4d1df0958ff5650eb145c31307b1641d65b1c1d3539d9cfb14ddf83391e43e5be225ccbe3ca3ed54d25a3b06cb0688682833c99b79375d

        Download Submit

      • C:\Windows\File Cache\DLL.dll
        Filesize

        116KB

        MD5

        a61c26b360471c8258c7571037c4bca0

        SHA1

        5db105e0384f25b1ab165c10a9445e6b943cd0ff

        SHA256

        e77316a1fd682e1af8af3ccd03c170f886b9ec8edf7013e1be6a6207cb5a6f16

        SHA512

        3ef680d50ccfa4311d3d1bec1648c48cf8e8633353dea5e06f52339047ede36fd1655ce728541e769d9fcaa6ab8c2a66981aef708a9f4d05ae46ad26f9d6aef4

        Download Submit

      • memory/968-337-0x00000000706A0000-0x0000000070E50000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/968-338-0x00000000052D0000-0x0000000005874000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/968-339-0x0000000004DC0000-0x0000000004E52000-memory.dmp

        Filesize

        584KB

        Download

      • memory/968-343-0x0000000004D10000-0x0000000004D20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/968-336-0x00000000001F0000-0x0000000000270000-memory.dmp

        Filesize

        512KB

        Download

      • memory/4020-166-0x0000000000400000-0x00000000006B4000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4020-328-0x0000000000400000-0x00000000006B4000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4176-163-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-161-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-162-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-164-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-160-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-159-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-158-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-153-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-154-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4176-152-0x000001EBB8E10000-0x000001EBB8E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5104-330-0x0000000000400000-0x00000000006B4000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/5104-327-0x0000000000400000-0x00000000006B4000-memory.dmp

        Filesize

        2.7MB

        Download