a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7

Resubmissions

03-04-2024 19:54

240403-ymwwtabd88 10

29-03-2024 17:27

240329-v1sjrsde91 10

Analysis

max time kernel
206s
max time network
216s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inchr_StExta_Itst_v.3.1.rar
Size

102.1MB
MD5

b35a8f49f22ba7206fad6526ac34f676
SHA1

6a891561a94655ae415b588104e62e5b0bb4d56f
SHA256

a4b05d52ea75d56b2e6ba0a153eb638290b546a86e5702b6ab1a15243a1e25a7
SHA512

e9713bd82429611fd5799470a5e19defa09d960d336245733f38f08b4dbbbc67b6b7fa4a6a09a8885c0ac3f6605e82675ca8deee2103f85ee0782c44c6daaf0e
SSDEEP

3145728:okTYasCFkAhweVB8SWh/s1ncJVn+t6Y7MREum8ySR1F:zkAhwjSWRCc/+t6EMRMBSR1F

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 63 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "10"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications\7z.exe	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 = 50003100000000007358ebab1000372d5a6970003c0009000400efbe7358ebab7358ebab2e000000659d020000001c0000000000000000000000000000005e3ef30037002d005a0069007000000014000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "9"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 8c0031000000000073583bae110050524f4752417e310000740009000400efbec552596173583bae2e0000003f0000000000010000000000000000004a0000000000cafc0401500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Applications	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3156	7z.exe
Token: 35	3156	7z.exe
Token: SeRestorePrivilege	4404	7z.exe
Token: 35	4404	7z.exe
Token: SeRestorePrivilege	5836	7z.exe
Token: 35	5836	7z.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
4724	MiniSearchHost.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe
4644	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 3156	4644	OpenWith.exe	87
PID 4644 wrote to memory of 3156	4644	OpenWith.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar
1⤵
- Modifies registry class
PID:4476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Inchr_StExta_Itst_v.3.1.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads