Analysis
-
max time kernel
445s -
max time network
361s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
01-02-2024 16:28
General
-
Target
Application65bbc577b4bf7.rar
-
Size
7.9MB
-
MD5
425043b149d5141589975e92a3c3475e
-
SHA1
308a07b116b2f46e424919d797c555bb4c066194
-
SHA256
d69be3adda5c9e44da6b9c7e3906100eb9d801e26d4436f55d38d6a1c02cad79
-
SHA512
1b069341765407d052c82c958c517b22721189e6dcb92c2625b4fa22c209bfae305783dcd3e5da9b85379d3cf1cebd7f8fb15015c28799a46b99ca27874c7523
-
SSDEEP
196608:22orhpx9tjnBg/FxkjvgR6esYAh7xhTuLtHmcB7a9T:ZoHxjjBQx4otsYKD80cFap
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Downloads MZ/PE file
-
.NET Reactor proctector 6 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO4B8101C6\lic.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B8101C6\lic.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zO4B82B7D6\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B82B7D6\setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\setup.exe"C:\Users\Admin\Desktop\setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\INSTALLER\PRWISDEVTI.exeC:\INSTALLER\PRWISDEVTI.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5963⤵
- Loads dropped DLL
- Program crash
-
C:\INSTALLER\KZCVDTPITG.exeC:\INSTALLER\KZCVDTPITG.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 6003⤵
- Loads dropped DLL
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=UZfBnXM8WuY2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\INSTALLER\KZCVDTPITG.exeFilesize
690KB
MD5c7403fc0ed6104c1e9867e060d109533
SHA1227044b4b0b3308a314c9f76a98c3375732d58e7
SHA256e9ab9e4824673e29d3ae89bd0f5562a5cc174afb1a551b1ed84f83cbc69d3df7
SHA51204dae50abb606bd27a5dbe3320e1bd503ab1863f6e1cebbb905f0c097d118efce4d008c7475adb8f33d52d24ff644e317ca4e33be368cf4b55bf7d970921b58a
-
C:\INSTALLER\KZCVDTPITG.exeFilesize
254KB
MD5918364137dba97aee82336ef322a6d36
SHA164badf23ece9658423f6036791e1603843ae3e7e
SHA256e61de748409529360426ad4f1c2d47504b5fa014b94ba1230bb454baf80893e3
SHA5128f0cd71385250108d870dc5a185a788ec24d33ef8e6a801d0ce2da8d1c44b8cb901e4982cc0dd3208e5ce6ea228f08993837da020b0e7583c0cd66ba7d46f996
-
C:\Users\Admin\AppData\Local\Temp\7zO4B8101C6\lic.exeFilesize
1.8MB
MD5b98f53b2d0511342797c267ed15274f8
SHA1e513ff4079d3a554b11e8aa747b97e9ae384584d
SHA2562c3ef8a234228f6d5e86d3b1158ced57aebfdc709040ce1f77ef50f4af122ee9
SHA51227668cf485ad880ea0bf3166ae3bb21fbedc88559b18abf3436bd85b7a43390f058373f1b3c99d95025cfbfb91de45c302e1cdf532c3b813abe5d2e93725461c
-
C:\Users\Admin\AppData\Local\Temp\7zO4B8101C6\lic.exeFilesize
1.9MB
MD5c5115615028d90ce16290fc83f8be9b8
SHA16b389411b51761e16477f81570e63558cf573fb6
SHA2563e9088059d873eb04db292b579e7c6d310e642cc59f2b2f18d211278c0971301
SHA512989aacbdc5daaf136b03728b9460e9684a26376755550930bfbcb3635783479e5b6e56b375b6e76d71a1a5409182b41ea9f5cc845b5a8d4a0e03520d1fcff174
-
C:\Users\Admin\AppData\Local\Temp\7zO4B82B7D6\setup.exeFilesize
884KB
MD5fa4577549a0cf34961a13259dcaf4179
SHA17ac1adabd78f56347c6df69a10d3cce43a646575
SHA2569d6d6414e047d9e5915052da3d514db2e6d80e41df7ba983fefaa4e03698b45f
SHA5121de48b3f8e7ee64a953b6e389981e70503a283b3b9aa6433f16eeca16847af0c3d1cf4464548a89e7650828036cd83be323e55f3709ce2f8421eccfb6e929013
-
C:\Users\Admin\AppData\Local\Temp\7zO4B82B7D6\setup.exeFilesize
546KB
MD5d613f0b763e5dbee8629506cda3642f4
SHA16d04415e91a76f8dddc3cc8e5a4a78fbcb49099e
SHA2567d476aa4a9ec04851810bc7ca10472b23c0986520679b9aac654ede59f80c6fd
SHA5126ed34345cef49bb9f26d82dbc76cfc0592b03657b8adab755b572566f45769939df3d828d8921473a9a1a30268168c0b012f4cda13607f1ab3345ba3cbc15236
-
C:\Users\Admin\AppData\Local\Temp\7zO4B82B7D6\setup.exeFilesize
153KB
MD5ccbc856ac7feb4a4a7bf543f82a1dce0
SHA1536ef3eb9f432e49f2b9b98f1592a2e0d4654629
SHA256181505a5b888f14695adff27b04f4881f865248abf3c8d09fbd420a24277e017
SHA5126af2828ba382d4cadbad8ebc59d94ab4007fc9fcdd05ca608fbd48253ea62a908b98b4d480d4ed40b8043401eec579d5dd1f800c87c39d8058d58a68dc6559af
-
C:\Users\Admin\Desktop\data\data.datFilesize
1.2MB
MD5f2d3bcb9a38dfa4a90daccb9ca2a3b54
SHA17867f9902cd17d7af4e6a671a6e50c3dfd3ef9ad
SHA256f073ec203af3d6f8aeddcd8e0c2cc003009224fc3b3c5545eb3add89bcab0890
SHA512c3411d08305b6c46cfb1d1faa5e280e3a202859c54b2f4fa8383544085d8a13ec6ba2ff31bc8ba7719152ec5de9e03bc8170e73b04b9a76b54c9136ac8fe9186
-
C:\Users\Admin\Desktop\data\program.PNGFilesize
696KB
MD5a3d4494188555fd642820346806fd1d8
SHA153a37fb21d1fdc91cdea14721eeecac83cc2825c
SHA256ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca
SHA512a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4
-
C:\Users\Admin\Desktop\setup.exeFilesize
2.4MB
MD57f54443d32cdd5cf6e35e1ae2f0752e4
SHA1d4f301deb61879f03dcf4288079c59c92bd707c8
SHA256a0ade14c80d112c17c75d8deafb41ad180f9bbb09099632831181949a6eb7593
SHA512618dad339357cd687ec6360d44c74c69faaef85336cab47be710c8ff9b82e196837bcab5509b5322655502e68e0bc04b34185af0822244a99fbf9e9d2ff1fdfe
-
C:\Users\Admin\Desktop\setup.exeFilesize
2.1MB
MD5ed8995bbdeefd50578b82853fe3cf1d7
SHA1b2cdbd56815914f2b57d5fc0eb8a29677676a737
SHA256e6b832a7807f7ab40a472793f3bac2f270093c37627450e0e4461911bd512801
SHA5121e9f7f7d4c9d695b6ec4832f209650d1e43d3c3faabd153a08893d42c191d007dab09d262273be285053eec0fd1083f15a0bf3c1ea8a8e2e9326bc8bec865156
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\INSTALLER\KZCVDTPITG.exeFilesize
691KB
MD5b88438d1f6cbaf3a51dbc187bade0a70
SHA12ece870123de075524b3d376fd21549f8efb5a1a
SHA256d680176f60befcc0f227009f479cb55a2ffb14660bc2cdc3887773bfc74b517b
SHA5126b53263bed81d43628c09180bdc8b541b0d2a52b6da30c469601e95f28079b448215d71b9fa7fab6dc63350189ee9d4b536ebaff888e37420eb10d6d24bc2a0d
-
\INSTALLER\KZCVDTPITG.exeFilesize
442KB
MD5527738fa009eeb7255ecb7a725326073
SHA1d11903d4e4c7eef3e26bd08228116eddc17110e2
SHA2562cbc04dd571b874cccd03189afaeaf7539c74568f7f828a0eab7401afbda178c
SHA512cc4960664a932524f8d486e3ba619358573de8a0b4cabece4468a0d99ae0a5bc9df8e30959fa6c9f9a819a9989c57ec5341bb404af18170761f7b33d530633bb
-
\INSTALLER\KZCVDTPITG.exeFilesize
576KB
MD5dd0ca66013b08e1dd81a4311e84fc26d
SHA1813b471c9b8c43144ae25d1fdddcbf0d1b322e10
SHA256b7f2e8d45bd4692ac1dc21b918bfb256c30fbc90d055f7fbcae247a9154dc819
SHA51257cccf74b59ad65b61df334b666a71d1657520a07d566ed8bb593fd5bf752b759ebe00860a448742089970041cf9cd9a3019b19c5de5dd5ea55a49eef61f9222
-
\INSTALLER\KZCVDTPITG.exeFilesize
314KB
MD55d3c4c108372bbae515a8bc8ad44cc25
SHA12d5b99f7c1c25c29e34c115eb8ced6c8d48ba714
SHA256c2216fcb02e1e4e918cd6b0e5d81382b38eced2a5f7b98a569987c6c89e4b5b1
SHA5121a8485a9077c19c18c835d893eeb3726a825ece32f1a43c5d8a0b8d9229146efe6ef810fbe6e00eb5717320bc6704eb73a88808700f4f6818db74867b7083551
-
\INSTALLER\KZCVDTPITG.exeFilesize
589KB
MD563f32bbebbc2cc3661b32d2e8d65a0d6
SHA191133ea5fbae6a20297060d148bda3acd3b289c8
SHA256d01ea4d18a8318c8f7f0fe2e578584750d7e75778d02c91a0431b3d606321dd2
SHA5128147aff4f050de563b2489f1d949161b651960acb09bf50ec370b53e910d3a2b65c28777120ed6dcfbf71a3067a1242f06dfc3c04709d32aab9a9f7ea8b762ca
-
\INSTALLER\KZCVDTPITG.exeFilesize
301KB
MD5c793325dfa974f1eabbbdd96f79aa235
SHA11de42e40418f22059786ffe2378fdf0269148c36
SHA2560704e397cf6f5d73b1d15d77fb49ade558c7d5003205866a3a1ee28f145374f4
SHA5127290549e8d648618e3acf3123ef9c1b47e38e6427d4e07bd100760be972aa26966e7d577073a69fd3766f2bfd3f31237437e444cad51d2630437c97e5bd4e3e3
-
\INSTALLER\PRWISDEVTI.exeFilesize
289KB
MD5c8f3472f289e7de5fd896a1ed6aa9f59
SHA18f0fb303f3626006f5babd5ef1a61ccd718539b9
SHA25652648b9cfe4b99d4fa6b4c1c976c158f5354a7538ccb36803997fe5b94fd884b
SHA512b16d51ebee0a938de6ebd1ee5e595f702bcc2c16d5ef0372d8c0431fbc61bec6b5395a423e2f2f461a4990ee058cd6e78f7fa2102e4bc341e34866a2fadc3644
-
\Users\Admin\Desktop\setup.exeFilesize
3.3MB
MD59771fe3280cff3cf6a0bc1c2e198927a
SHA1f0db8026b97524d51d73bddeeb182b085df73c73
SHA25689b52748bdc7be9b5384abca360855c8ba8b4a2679e3f0c25877cd7a60afc5c7
SHA51290e42437c132577355f8a4c1e48ccfc44df101c54d9f92d7fee1db14c11dd58d790b5c712bd82064d303da08cb4bb1407988542bdc98440bcc3dd1fadba8e78b
-
memory/632-231-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/632-202-0x0000000004920000-0x00000000049C0000-memory.dmpFilesize
640KB
-
memory/632-208-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-249-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/632-236-0x00000000022D0000-0x00000000042D0000-memory.dmpFilesize
32.0MB
-
memory/632-235-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-233-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-234-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-232-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-207-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-206-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-205-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/632-211-0x00000000022D0000-0x00000000042D0000-memory.dmpFilesize
32.0MB
-
memory/632-204-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/632-203-0x0000000004840000-0x00000000048DE000-memory.dmpFilesize
632KB
-
memory/1068-50-0x00000000018C0000-0x00000000018C1000-memory.dmpFilesize
4KB
-
memory/1068-51-0x0000000000010000-0x000000000165C000-memory.dmpFilesize
22.3MB
-
memory/1912-37-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1912-158-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/1912-55-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1912-157-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/1912-52-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/1912-266-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/1912-54-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/2524-24-0x0000000004040000-0x0000000004050000-memory.dmpFilesize
64KB
-
memory/2524-25-0x0000000004030000-0x0000000004031000-memory.dmpFilesize
4KB
-
memory/2956-230-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-185-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2956-146-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2956-255-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-159-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-225-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-196-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-241-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/2956-237-0x00000000013E0000-0x0000000002A2C000-memory.dmpFilesize
22.3MB
-
memory/3056-226-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-228-0x00000000021B0000-0x00000000041B0000-memory.dmpFilesize
32.0MB
-
memory/3056-184-0x0000000004680000-0x00000000046B0000-memory.dmpFilesize
192KB
-
memory/3056-181-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-182-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-183-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-180-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/3056-186-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-227-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/3056-179-0x0000000001ED0000-0x0000000001F02000-memory.dmpFilesize
200KB
-
memory/3056-253-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/3056-189-0x00000000021B0000-0x00000000041B0000-memory.dmpFilesize
32.0MB
-
memory/3056-217-0x00000000728C0000-0x0000000072FAE000-memory.dmpFilesize
6.9MB
-
memory/3056-218-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
