Overview
overview
9Static
static
7release.zip
windows7-x64
1release.zip
windows10-2004-x64
1release.rar
windows7-x64
3release.rar
windows10-2004-x64
7release/ma...at.exe
windows7-x64
9release/ma...at.exe
windows10-2004-x64
9release/ma...er.exe
windows7-x64
9release/ma...er.exe
windows10-2004-x64
9release/map/map.exe
windows7-x64
9release/map/map.exe
windows10-2004-x64
9release/readme.txt
windows7-x64
1release/readme.txt
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 17:04
Behavioral task
behavioral1
Sample
release.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
release.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
release.rar
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
release.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
release/main/cheat.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
release/main/cheat.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
release/main/loader.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
release/main/loader.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
release/map/map.exe
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
release/map/map.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
release/readme.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
release/readme.txt
Resource
win10v2004-20240508-en
General
-
Target
release.rar
-
Size
11.3MB
-
MD5
5c001e7cd4bead1393a073f4db374f2b
-
SHA1
126db88412f3b4c26c7c03c7ecf003dafa69b671
-
SHA256
957bc987044ba0adaa749cdca6e8e74b560d2484a00ce8eeda77b4964f25bf97
-
SHA512
fc48c73a1869cb2f6a89f792e1a50bb3349b4a1625d4ba8e22839c5ded2b4ec7a81763749ec05d4c94081659dd50a6395fbee059a7c24a84640be132121dbdb0
-
SSDEEP
196608:nCwrLldq0DxetYixAvGUFi0gpuKLoqizxw1p9o3IVTiypXyGv:ho0o9A+UA0gxLonzc9o3IB/sGv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2484 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2484 vlc.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe 2484 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2484 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2352 wrote to memory of 1940 2352 cmd.exe rundll32.exe PID 2352 wrote to memory of 1940 2352 cmd.exe rundll32.exe PID 2352 wrote to memory of 1940 2352 cmd.exe rundll32.exe PID 1940 wrote to memory of 2540 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 2540 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 2540 1940 rundll32.exe rundll32.exe PID 2540 wrote to memory of 2484 2540 rundll32.exe vlc.exe PID 2540 wrote to memory of 2484 2540 rundll32.exe vlc.exe PID 2540 wrote to memory of 2484 2540 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\release.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\release.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2484