46b26f573c1cd27de80d424813708da896406c34257f59f6455d86477aa4347c

Analysis

max time kernel
454s
max time network
479s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19-09-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6.zip
Size

4.9MB
MD5

cfe81aeea6d49b4d09658d47f2d3478d
SHA1

5856e7afebba6dc6b954b67f7fedd49a9bc18bf0
SHA256

f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6
SHA512

b03b9a79efa4a36be4e6977ff959a2c32b5e12859e5a8cdedae6a6a7a3cc81b6017dd3b3506703996213990d5a777ad41c5e746f37288d32b5a1eeda29a71f3d
SSDEEP

98304:WELp3tbYw/Ncr37Q+NCOMET3Pq6K/L1CF0Xap09HG10Ovi:JLRJ9NcpCOVTXK5CF0s00y

Score

1^/10

Malware Config

Signatures

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.php	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.php\ = "php_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\php_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 12 IoCs

ransomware

pid	Process
4832	NOTEPAD.EXE
5000	NOTEPAD.EXE
4140	NOTEPAD.EXE
3720	NOTEPAD.EXE
2500	NOTEPAD.EXE
1624	NOTEPAD.EXE
392	NOTEPAD.EXE
3796	NOTEPAD.EXE
4272	NOTEPAD.EXE
3168	NOTEPAD.EXE
3160	NOTEPAD.EXE
1480	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3760	7zG.exe
Token: 35	3760	7zG.exe
Token: SeSecurityPrivilege	3760	7zG.exe
Token: SeSecurityPrivilege	3760	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3760	7zG.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1624	2268	OpenWith.exe	95
PID 2268 wrote to memory of 1624	2268	OpenWith.exe	95
PID 4460 wrote to memory of 392	4460	OpenWith.exe	97
PID 4460 wrote to memory of 392	4460	OpenWith.exe	97

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6.zip
1⤵
PID:924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\" -spe -an -ai#7zMap6010:186:7zEvent18396
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\cr51.php
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\index.php
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\install\index.php
1⤵
- Opens file in notepad (likely ransom note)
PID:3796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\setpanel.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:4832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\killbot.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:4272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\core.php
1⤵
- Opens file in notepad (likely ransom note)
PID:3168

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\helpers.php
1⤵
- Opens file in notepad (likely ransom note)
PID:3160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Controllers\Panel.php
1⤵
- Opens file in notepad (likely ransom note)
PID:5000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Assets\email\index.php
1⤵
- Opens file in notepad (likely ransom note)
PID:1480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Static\log_account.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4140

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Views\pc\pwd.php
1⤵
- Opens file in notepad (likely ransom note)
PID:3720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Views\index.php
1⤵
- Opens file in notepad (likely ransom note)
PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Assets\_titit\js\jquery-3.3.1.min.js

Filesize
105KB

MD5
d532c905d593a7f16eff99f24f27621e

SHA1
ea0f0d16f78ec4bbaf7866213a2f012d2793e14c

SHA256
97ecd42dea3bc998c5efd456bc13e2c45c700fba1c581961ca1481676bf08b42

SHA512
81d727042f98245db1a8b66cca98ab7898e8f98d774e8b3930273f66f3ece6db3b20d47598ecf88cf14f96553ab676dc3fce663bd34f299c72d71bbb82eb245a

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Assets\email\index.php

Filesize
547B

MD5
399671c054cecf7c9cc4c185c0affa37

SHA1
6e0f6a849aaaaa56492e57b12778ccfc5132d6f7

SHA256
e10e88587c22b2a1a7c826f88544c4344dd93fc65c9897bc24fa4e1b8fb79d15

SHA512
5093ffd708ea1fc3c9dc1c3158817f9541686f34cb468068e0409bbec93ce2f6c288630ae1ea3a59f36349b3362cdd2ba97cb2fa3f6fcec047fe6285e3770f20

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Assets\email\index.php

Filesize
547B

MD5
399671c054cecf7c9cc4c185c0affa37

SHA1
6e0f6a849aaaaa56492e57b12778ccfc5132d6f7

SHA256
e10e88587c22b2a1a7c826f88544c4344dd93fc65c9897bc24fa4e1b8fb79d15

SHA512
5093ffd708ea1fc3c9dc1c3158817f9541686f34cb468068e0409bbec93ce2f6c288630ae1ea3a59f36349b3362cdd2ba97cb2fa3f6fcec047fe6285e3770f20

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Assets\kintil\fonts\dm-sans-dmsans-medium.woff

Filesize
2KB

MD5
86a34cce79bd5423710c85e1f7bfc41f

SHA1
313769a80022bde33583eba32e8332da191ea8f1

SHA256
f0f07a5d49055eaf75683eeb64fb90e55c6bcc426a8108f41152a88f3c00c16c

SHA512
e92bd072c27965f827d852220840ca449c65a0231665a13cba3135c9380c31e81019ea9c2f1c8363776c92780f2fc20d6ecbdffac9cebe2a382f7ab8c5aaa5c0

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\core.php

Filesize
11KB

MD5
476ddf3a316a6a9854120e857d499973

SHA1
49dea668909e227f01df32760b4d761a38b9e4ae

SHA256
f08c957937811b2015d5e58c504f5c1042b9842ff4a2bb8e7dc3487fb9430530

SHA512
c33fb9ec94ffdc53490b9d073f613d68d7cb0a3a010715ec07c3dfe9dc564874ab5d788497ddc94b1a5bc6d0ff8addd03a34ed3aac71e4a61097cd374bb74ee2

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\helpers.php

Filesize
11KB

MD5
ef5a030d0e21e9472934e0c42cb09d9c

SHA1
c2dbe92d1fc252b41c68670b6ef6b819621de9af

SHA256
fa7de972e6baffc5fb73e9631ecbb4628f2e98923ae3d6b682ac627bd122543b

SHA512
cf293560ae75f26f09bdd3747174129d7242357b8d37e0182967b4dba803e386ce7d86ffb7812df9c8d5eab2294aa77b2f1df812e77b0940fe419f0b77c54a60

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\killbot.ini

Filesize
17B

MD5
1c3d01e107077564c8e201bc8c959e4d

SHA1
f2581310bb1163585e5363aa39f2abe1a3359008

SHA256
0c7773877a2ea3865cdd692a228fadba1b55682d215a827fc08d022528f726f5

SHA512
74ebc20c311d6e8d54f6e180445c477d16565ff798f8464c4edc7b38a0d0eb40a7f1e3c798628b6da3bbba547bba0595e8057cd191d16ec577fcc9abcb96222e

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Brain\setpanel.ini

Filesize
191B

MD5
40d291a8b480fb76a7badf803a339ce8

SHA1
2aff0f98380473d87e37f825c16a11dcb1ebc8b6

SHA256
dee236aac282ce64781943011502a7fa9d51159ed4f158004bb82e1463dff9ec

SHA512
56e9305f5863057f12ab0343db67fac377caf5a851ecdffedf4221e63ca5be2dfe22314ae5ba7c01594a6d9550335e161ca2ff5461b6d9fba534b8ad8b3bf786

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Controllers\Panel.php

Filesize
15KB

MD5
2e2907d14fd7dbd3d51dd09dcbc07862

SHA1
0363d85e95c9636b36b2a2299ac031cd4c1f4c22

SHA256
d13653b1561fc4054432c51113ef75e5356bcde763729c47444b17e64c313b64

SHA512
86f7a3fe91c3961a526fe82b069a2239de0679168d395ed6af146ba8c4ce89f73a48c43fe91b4c3176a825ad8dbdf265f89fa552f495afa2109b16c3c6739e2d

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Views\index.php

Filesize
547B

MD5
399671c054cecf7c9cc4c185c0affa37

SHA1
6e0f6a849aaaaa56492e57b12778ccfc5132d6f7

SHA256
e10e88587c22b2a1a7c826f88544c4344dd93fc65c9897bc24fa4e1b8fb79d15

SHA512
5093ffd708ea1fc3c9dc1c3158817f9541686f34cb468068e0409bbec93ce2f6c288630ae1ea3a59f36349b3362cdd2ba97cb2fa3f6fcec047fe6285e3770f20

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Views\pc\card.php

Filesize
307KB

MD5
4ff046a98f6127c03254188197a4b187

SHA1
582f2acae0580dc1fe1a383ca4eb607525038289

SHA256
9903415eda583e9f166af2a3a137410fb394a58f35760753593d57f3c7b51255

SHA512
d851e88e87000521ad17b12a9e8b1b2297d86b3bfeaff9e98d5c7f2aad29d031872360fb90fd6e60244da5c1f13d8687fa5406167ad0bb098b50501613f634c8

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\CR51\Views\pc\pwd.php

Filesize
121KB

MD5
6c8a5f9de756b7746fc4ee73c375855c

SHA1
654ca9753f8f16ab54f2c12c8eebae832880ae07

SHA256
0910264c0f714a1389cc5766cf176eefa2f5f7344bb2daf528e3e135581598d9

SHA512
6ddc8e0294cb97502c53211673476cccae7cf6fc0465ca6dd78271625c62a6e665d7c86505a129669bd054e097999d781ef7c2b925f79e419edf5456f40a9bb3

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\cr51.php

Filesize
223B

MD5
7b2103137a6da520c065433c03186ad9

SHA1
6acb5a8ffd01b26088b8487e9cba17afdf1f98ac

SHA256
8889caa772b7a0877d70f99a2aeb1d8cc1bfdbfe6e0c882f4b9f6789dd9fcd68

SHA512
ae25679c4eacd8e22e7e46fc56d2db687ac4d288852f5b9000da845a0c01cb2e7ff6fa6c7eac7b7e8a0c2d4bf60fbc78f6166e93bd010c94c9745a59c343805c

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\index.php

Filesize
115B

MD5
6537c66e2924d954ea7a9564686da986

SHA1
88db9b8b9da9bb15ac76b8cb3740d951610e70ed

SHA256
7ab8f75b1ad4a4d19fb0e836939e99593d5255593e73dd988f8a25240d63e076

SHA512
d35477425c4eee62985fb8e784bfbd3bec9b88ef2d3f2a3298aee761edde38badc73f3bf39444d003bc54ba4ae835bf38f5bd5b398a7898e735c212031f9ad1c

Download Submit
C:\Users\Admin\Desktop\f3262274c0bcba86219b148d7d12eb51293959090c9914cf5347a02032d2fdd6\install\index.php

Filesize
17KB

MD5
74a5e1753fe31718485734d9e6df3ddb

SHA1
2ebfbdcac04e1b19279190cfa11bd5a38bd7f4fe

SHA256
4783de1138e1a571e3774a2588228987d87735017aa2c1a295ce7c379e329201

SHA512
c5eba91c45b0572a02355b83f0b6f34307a26f726ea8ec79297228948aeef3c9020fab225aae2e1171e26bf567a2df7689085d14050ac8c83d9c3539d9f1dffc

Download Submit