d6193ac848e9413eb2a9158c9b50ddacaccc2877945b7f9d0bc5c387e1cc1d81

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Multi_Giftcard_Gen.rar
Size

3.8MB
MD5

92a1c10a5e9a6c1f06943f1b979c4d20
SHA1

a5ce9d457e7a614ca1f3e17d60434a61fbe32098
SHA256

d6193ac848e9413eb2a9158c9b50ddacaccc2877945b7f9d0bc5c387e1cc1d81
SHA512

444af96f84a33776c3a67dbd0635a269f8639723e745a2cd45ca8c8fe3a0588180106c33e60c75b116d5ddaf6464d3e2dea0ae3f2b4cdbda54344e0fe773e870
SSDEEP

98304:cAYXzcJR91qlLDDRTUWBX2xUlNflDRQAA9XgtJaJxFJtL:cAozyqlnDRT421tpZLaJxFJV

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.md	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\md_auto_file\shell\open\command	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2844	NOTEPAD.EXE
2752	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2780	7zFM.exe
2780	7zFM.exe
2780	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2780	7zFM.exe
Token: 35	2780	7zFM.exe
Token: SeSecurityPrivilege	2780	7zFM.exe
Token: SeSecurityPrivilege	2780	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2780	7zFM.exe
2780	7zFM.exe
2780	7zFM.exe
2780	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2780	1212	cmd.exe	29
PID 1212 wrote to memory of 2780	1212	cmd.exe	29
PID 1212 wrote to memory of 2780	1212	cmd.exe	29
PID 2780 wrote to memory of 2416	2780	7zFM.exe	32
PID 2780 wrote to memory of 2416	2780	7zFM.exe	32
PID 2780 wrote to memory of 2416	2780	7zFM.exe	32
PID 2416 wrote to memory of 2844	2416	rundll32.exe	33
PID 2416 wrote to memory of 2844	2416	rundll32.exe	33
PID 2416 wrote to memory of 2844	2416	rundll32.exe	33
PID 2780 wrote to memory of 2752	2780	7zFM.exe	35
PID 2780 wrote to memory of 2752	2780	7zFM.exe	35
PID 2780 wrote to memory of 2752	2780	7zFM.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Multi_Giftcard_Gen.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Multi_Giftcard_Gen.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOCDA69EC6\README.md
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDA69EC6\README.md
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2844
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDA46217\amazon.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCDA46217\amazon.txt

Filesize
1.8MB

MD5
320012a4f7a0fee4bf0f79ae4f3d583d

SHA1
fe9156b9716e898ea4059315831052355137874b

SHA256
c6718f81ceddfe6ec8a6bdeb299f644a8cf784a4aad3a3cec3077f0fccc0cd00

SHA512
86c89f743f3a62cd80c87fe622cc8c1879b2621fa500a1fb7791fe377678b190ead247caa34ab60aa4114b0bd4d43c1f169ef66dc8c5819631fc4a8b2318d952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCDA69EC6\README.md

Filesize
819B

MD5
38c230403c2718404e7ec310b7ec3ba0

SHA1
f0ec09315f9d290005e0a778bdb2a1b061dea997

SHA256
0560fbdc579e282543ca1b69c66568e4b73dade606caa86c0fd77a3d5a89fdc1

SHA512
6f05590d479fa5f363fd69b5acb26a4b163db3b4b6efda6791b48076aff08df0e0804b652e9d51b1b6958e7fd1f2f2822508ce392e26f9b2a43a720276775e51

Download Submit