18e4f87a66012f9b747f5512876bf0d8f8746344db775b68f68f5077d7e5d88a

Analysis

max time kernel
56s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.rar
Size

12.8MB
MD5

abd9e17c99f6b2478b6f032220fda304
SHA1

176620c4bfc04725cf653be81ea3cc315f70f4d6
SHA256

18e4f87a66012f9b747f5512876bf0d8f8746344db775b68f68f5077d7e5d88a
SHA512

cc83e7a26acab97d1f70ee90e1b18149f2847b09e79c4237d1e4866c154ccd77e99378612d8c39c13c9dea1bc46fa4f4500e6f7b3d4dbe47e54310fa6ea15672
SSDEEP

196608:ByAlqFAIcJ08ZLZLo8P0Z979Pu2aPczoNy4hyibtDUjT+T0QLhHV0LIlHTNyuYCE:QJV8BZI5Pu6NQtDS+TJh2Lwxkeb+3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4120	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4376	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe
4376	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1060	4376	OpenWith.exe	97
PID 4376 wrote to memory of 1060	4376	OpenWith.exe	97
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 1060 wrote to memory of 2220	1060	firefox.exe	99
PID 2220 wrote to memory of 4904	2220	firefox.exe	100
PID 2220 wrote to memory of 4904	2220	firefox.exe	100
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2008	2220	firefox.exe	101
PID 2220 wrote to memory of 2352	2220	firefox.exe	102

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.rar
1⤵
- Modifies registry class
PID:2260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Setup.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Setup.rar
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.0.972746029\1609031853" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1800 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e543d2f6-4260-4c06-bfdf-40705f0e866f} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 1964 1f216ccd158 gpu
      4⤵
      PID:4904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.1.1546371868\2037056803" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61fea901-bb8d-425e-8d37-e68ff7108d6a} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2388 1f216ae6b58 socket
      4⤵
      PID:2008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.2.1454438901\1418740120" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3096 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a663a8-066a-48d5-85ac-9f9de555e4b0} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2776 1f21acc3258 tab
      4⤵
      PID:2352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.3.1025720942\970436244" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3476 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc0288c1-63e6-4424-9530-8bb96727645a} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 3464 1f21964ef58 tab
      4⤵
      PID:4700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.4.1174115998\117165199" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 4560 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425a408f-0370-4f96-a1b8-d30b787487b7} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5160 1f20a366558 tab
      4⤵
      PID:1452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.6.195274023\510047132" -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed1c39f-6f9e-4994-936f-1396b6294ea5} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5452 1f21d22ea58 tab
      4⤵
      PID:2604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.5.1820722056\969060899" -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd3d5c1-d6c0-43a6-a663-6ce7d5f82c9d} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5320 1f21d163758 tab
      4⤵
      PID:3348

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Setup.rar
1⤵
- Opens file in notepad (likely ransom note)
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
148KB

MD5
3c71021c0b0297c50fde463d667a8ba8

SHA1
b22a239a0292715d2239d56f9272065f80a66bb8

SHA256
c19aef0de598379d4e20caeaa272619140dc08669d5d31de63ef84e05d6da853

SHA512
98f75b4e0f0ee609847768200401fc4463231d349f5cf3cf4fca14d5282617b8865500ae926d2786a39348e4367afa89270dfe9dc8844dee514f1805c42ce1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
997B

MD5
83c060d60096b481ff4b2af00b3e462c

SHA1
2c7764f5109a671a82040d194117db9a1a0a56ae

SHA256
4de5968358b43f56a297b215c8dc87385ce35b0a0580ea4ededd7e421414322d

SHA512
1141eb0209755a9f3f7837feeaec830a4d260d38991249c35f77eb75ab014c820c2eee09a4423089e5c50f369115b9c768b0b3c1b77943dcccfe5cd2697d156c

Download Submit
C:\Users\Admin\Downloads\K0iZKs2V.rar.part

Filesize
12.8MB

MD5
abd9e17c99f6b2478b6f032220fda304

SHA1
176620c4bfc04725cf653be81ea3cc315f70f4d6

SHA256
18e4f87a66012f9b747f5512876bf0d8f8746344db775b68f68f5077d7e5d88a

SHA512
cc83e7a26acab97d1f70ee90e1b18149f2847b09e79c4237d1e4866c154ccd77e99378612d8c39c13c9dea1bc46fa4f4500e6f7b3d4dbe47e54310fa6ea15672

Download Submit