Analysis
-
max time kernel
525s -
max time network
532s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
19/09/2023, 18:15
General
-
Target
LatsunaGame.rar
-
Size
71.5MB
-
MD5
a3640d4a06d302fe758fa98647e8bb55
-
SHA1
e976658d011b4c637652ec9c18244fc280044eca
-
SHA256
6e46af397e31820f509674d6b97923ca511d303a0e170fd29acfc3f21722ac89
-
SHA512
66eb86658346b552c159efcec640892935c37bda9e601c913fbc5a2a1406a57ff1cbf200012043bb0dadd0493fbbf4cae0e6c968af5fb2bb11af33a202109094
-
SSDEEP
1572864:FqxZIThhE2T1mdKnFZ9b+Ij/m+LDb6ZlrO8hVYadWet6itgyDK5kUoE:F+ZchoebvOKElVVhwitPDS7oE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 11 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\LatsunaGame.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LatsunaGame.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\LatsunaGame.rar3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.0.56455049\523451785" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60a8e733-8618-42fc-ac79-94cd0f19f9c0} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 1980 2124c2e2b58 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.1.920799298\52092753" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9eb35e1-e3c8-40ea-a1fd-4c8047f24a31} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 2404 2123f871458 socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.2.184119510\1250595901" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3264 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba53f5b7-5b26-428a-975d-9a8ad0cece85} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 3240 2124c25bc58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.3.677371703\1826825069" -childID 2 -isForBrowser -prefsHandle 1072 -prefMapHandle 1028 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3942729d-d055-4d92-b553-60bf236e9cbd} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 3432 2123f863258 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.4.707914525\82042069" -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd5104cc-f914-4cdc-8127-9bce42ec069e} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 5196 2124d9ceb58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.6.154635061\1632808392" -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4bb419-5f34-4a26-a93e-91fe8fb20223} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 5512 21253204158 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1236.5.322018460\176485356" -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af15f585-f5f4-423d-96ae-e4e1c5d9c4f3} 1236 "\\.\pipe\gecko-crash-server-pipe.1236" 5324 21253206b58 tab4⤵
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\LatsunaGame.rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\LatsunaGame.rar2⤵
- Checks processor information in registry
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LatsunaGame.rar2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LatsunaGame\" -ad -an -ai#7zMap21962:84:7zEvent27401⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap23645:84:7zEvent125161⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5878e748db0021f5afe622b6810fd224d
SHA1912ec552ec7a47c82935e97fce16b493012391f2
SHA256940c458de6a2c23c9f61f3ddaec1f5dac4be297deb6c2834e3bbf87a2fff938f
SHA5121b22840901e9901c2aea882f59767213920f1dc9fd98cf77b68a10cb0d2a0b43b538d518f0287081a1088d15a1903b10b7922280fa16902497e20c5cf57ec72e
-
Filesize
13KB
MD5529c2293e470b8014676e51f01f91985
SHA1731b0309a3666b4b6ef775609b0a1e618a70c40b
SHA25698e47ae412a6ee6f07e016a9cc8a85920628b1c8f7630da7316a6dc81d54bd22
SHA51236e5a69c01e42d1ed826eafdf93c762cf48c084d5f1e96464ee1fc7ce0bcfb41d982ef8f8a33e43942f31e86aec33d3aa21b79bbde69946f519b42614eb827af
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
7KB
MD595027b1d65b58663f32d166b34a7be9c
SHA14183d65cfd4b1d31fc275458382e91c03b7d5f06
SHA25601bb887af9bd3bcd09f72bb8aef4f43b55d87f1d0bdfda16f58fbe63fb5a552e
SHA5128ef7a17bef02203a14950d37f8132e17fc5b40b2c8d4497cc832659fc413947f8020174d384150a31c98bf2f81fcab99d711948107eb1cb211ce8e7c719cf4ef
-
Filesize
7KB
MD54fd761d31190972d6424778494b321d3
SHA17b31bd21d0a827d3f053d2576caf4a56f561d9ff
SHA2568fe797e9b347f02b104f599cc362395f0196e6c2d7d4683c0b94e5f2f00623a0
SHA512054b09b330bf9e0a96c808468e1ac5196d51d04dae63c034e1c91d1a19efdb16b2cc9560ae3c09473a05d15fcd69c9662435d67717ac15485abda4262383dfae
-
Filesize
182B
MD51c3c58f7838dde7f753614d170f110fc
SHA1c17e5a486cecaddd6ced7217d298306850a87f48
SHA25681c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d
SHA5129f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
8KB
MD59abe3c90c2e67e510cc0ee1cef19af9f
SHA18f3644a96ae41787bcf951d2fe21f2d47ba3139a
SHA25679f10672f5f6f5fc86da417ca5f3aa5dc21beddd9f18234b35f4405b831f08ff
SHA512841b82b0fc177f0228d1fb13d630a080cb9dd1752210139e265d4444f3530f332472435f78445c2f8e74ec6ee53bfa2076dc93fa82ee74897a6eaebc51cfc983
-
Filesize
7KB
MD5e85c75dc271aca3bdf50734cea747b82
SHA125f1aa8ccd385ccb749945132807e3f8fb7bb7a9
SHA25647075c1275e69637355d6ecd661a68e8986492627a130f320e044306f3c81efd
SHA512c4fe996aecd53d64a1014a454946ff6bc96fabf7c2851c6f8db2e1dc2bc58cb8844038133de55a874ee7455898c1054ff2c382c794ce88d0ee28ec93ae010e82
-
Filesize
6KB
MD5f8d1f78b9e9b47c76d8340095e8b8f57
SHA1deae98ac4b3235fd9f002290fdb80a68e1bd0db2
SHA256909be675155171e838888c3ab348def7164357cc5a1cf5a46664f9716e750f39
SHA512c70018a9ff3bd084b2ffd2e6a39016f47984aeb47f6166489eee38cbe773f5def530a952295a64d853835456538147e5452e07de336a1fa7f1b602ced34231c7
-
Filesize
995B
MD550650953f5cce70ad5bd9632a1d40fbd
SHA1de1fc14c4da168795123cc3e6c3f0ea3d1fa1b0a
SHA256a34a905f5ae556eca08b9427cf82a996c63c4a1ebde52113c6a99aa844970cd5
SHA51244875ebb3dcb45387714fbc3c2bd760be9ebd5f66a3bdfe697842b616d2bcfcceff58a9db8c17341f52e080030ccea5509547ffe457f7fdd696f3711ceb1248c
-
Filesize
1KB
MD5ce334a7af294067609ebb5d7994297f9
SHA18b2b9c39678fe0dd612f1871f5e7db0d3ff9b0a3
SHA256072adab9dccab1a41d17ff13fe6b22f73cd0645af766716b72a698aae4c174ba
SHA51241a7aebf85df868a9b346475aa17cebbfdd0b55d2c36eb7a4760f8ff02bfd633229e52b7f73960b10eb1df3d77e90cb0b846ade31b54d4d21bacd9d593e68a4e
-
Filesize
1KB
MD58dafc092f5a6acee40d45ef215ca4f79
SHA139bc72709ac4eb04602e4f54c33fcb9d6383bcb9
SHA256c7756e21df70b7f3804646c2b937353b162f07c76845ce2030a9d94760e0e5ab
SHA51207ad12f48df89983f7a1a0284b992800e4f7c5e2887cce6e333ed1e73dd1e8f4057ea7c5232cbfc93e3d288aeb3623c1dda68e686d12852436febb29ad5933f3
-
Filesize
71.5MB
MD5a3640d4a06d302fe758fa98647e8bb55
SHA1e976658d011b4c637652ec9c18244fc280044eca
SHA2566e46af397e31820f509674d6b97923ca511d303a0e170fd29acfc3f21722ac89
SHA51266eb86658346b552c159efcec640892935c37bda9e601c913fbc5a2a1406a57ff1cbf200012043bb0dadd0493fbbf4cae0e6c968af5fb2bb11af33a202109094
-
Filesize
71.5MB
MD5a3640d4a06d302fe758fa98647e8bb55
SHA1e976658d011b4c637652ec9c18244fc280044eca
SHA2566e46af397e31820f509674d6b97923ca511d303a0e170fd29acfc3f21722ac89
SHA51266eb86658346b552c159efcec640892935c37bda9e601c913fbc5a2a1406a57ff1cbf200012043bb0dadd0493fbbf4cae0e6c968af5fb2bb11af33a202109094