f32a336d1e20c1d80f16fa90c5e4437b9daa8fc224d1a3faa0d1cc4db41c04bd

Analysis

max time kernel
326s
max time network
378s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 07:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NUMKASP-V3[@hackers_assemble].rar
Size

7.3MB
MD5

8cbd90c33ecea50e5395397d7a23dcca
SHA1

013eb6066f50223dc7465f7a1b3695a5180b0d58
SHA256

f32a336d1e20c1d80f16fa90c5e4437b9daa8fc224d1a3faa0d1cc4db41c04bd
SHA512

9fc3a3791d52d6565601080a88d3f93edaee13300e660a88173bc5090b2bf730493f755810a0405b7db67f6b09684d98b1a1fe98ee499f24a463b1f96c5efb3f
SSDEEP

196608:pZq++GI8WrCUD0M0KSu01uCQyvnEoCtcidFXOndnCt:pZq3GIlb0M0Y01LQyEoCtP7EO

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\ramdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
684	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
964	OpenWith.exe
684	vlc.exe
208	mmc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3852	control.exe
Token: SeCreatePagefilePrivilege	3852	control.exe
Token: 33	208	mmc.exe
Token: SeIncBasePriorityPrivilege	208	mmc.exe
Token: 33	208	mmc.exe
Token: SeIncBasePriorityPrivilege	208	mmc.exe
Token: SeShutdownPrivilege	3704	control.exe
Token: SeCreatePagefilePrivilege	3704	control.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
208	mmc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe
684	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe
964	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 684	964	OpenWith.exe	72
PID 964 wrote to memory of 684	964	OpenWith.exe	72
PID 3852 wrote to memory of 208	3852	control.exe	78
PID 3852 wrote to memory of 208	3852	control.exe	78

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NUMKASP-V3[@hackers_assemble].rar
1⤵
- Modifies registry class
PID:2308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\NUMKASP-V3[@hackers_assemble].rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:684

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:208

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4624

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-12-0x00007FF639B70000-0x00007FF639C68000-memory.dmp

Filesize
992KB

Download
memory/684-13-0x00007FFCBE300000-0x00007FFCBE334000-memory.dmp

Filesize
208KB

Download
memory/684-14-0x00007FFCB9460000-0x00007FFCB9714000-memory.dmp

Filesize
2.7MB

Download
memory/684-15-0x00007FFCA9890000-0x00007FFCAA93B000-memory.dmp

Filesize
16.7MB

Download
memory/684-16-0x00007FFCA9530000-0x00007FFCA9642000-memory.dmp

Filesize
1.1MB

Download