Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01-09-2023 01:25
Static task
static1
Behavioral task
behavioral1
Sample
installer.rar
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
installer.rar
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
winrar-x64.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
winrar-x64.exe
Resource
win10v2004-20230831-en
General
-
Target
installer.rar
-
Size
2.2MB
-
MD5
f47e38957e5a4cc47a54621ddd53974e
-
SHA1
d90df167441c407a9453c6f1b6737278fce67c7b
-
SHA256
b32cba53b8d0f92a6765dfad0c7d81c95984a5ba3dd567d24b186ad6862c8bbc
-
SHA512
f71d819a5f98fcf67989e2ba916ad9735783c0f7ba92c808b3722c286acc5fdb9280b6b817ecf785932330b525f19646afe5cb0c20b38f142eea767c71b29d5e
-
SSDEEP
49152:X86pf36yPjjldDaMR9ejNuJZS9lRf7eeuz9U8TN:XlpfjBLENuJZS9P7NwU8h
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2704 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1672 wrote to memory of 2704 1672 cmd.exe rundll32.exe PID 1672 wrote to memory of 2704 1672 cmd.exe rundll32.exe PID 1672 wrote to memory of 2704 1672 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\installer.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\installer.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2704
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2732