26742d280bd042e8013d09f191172a6df79a0fae23232f0e06b62e4995a61d49

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

popcorn.exe
Size

1.2MB
MD5

1f532218ff27c9db1cc49a19083136e9
SHA1

f1d22ee845fd359b38b490efea78cc71f60ad296
SHA256

26742d280bd042e8013d09f191172a6df79a0fae23232f0e06b62e4995a61d49
SHA512

ea716d5d1830a9edce6527c5b06fb6f97234b8a4f98dafdddad81bd1a66949543137051e4c7487c5086d74a1aacf59c4dfef0d545803de1f318a599631aa64fa
SSDEEP

24576:RddFMz0ES5hL+PXRSXTBvP7LIeUfcv0SLqffJgJLjXh0gYUAwvEDbSL:Rdd6z0TDtIfcsSLmfoXYURL

Score

8^/10

evasion persistence privilege_escalation ransomware

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1604	netsh.exe
2872	netsh.exe
1052	netsh.exe
2168	netsh.exe
1932	netsh.exe
1852	netsh.exe
2708	netsh.exe
2756	netsh.exe
1828	netsh.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\Wallpaper = "/f"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 30 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2664	ipconfig.exe
2868	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2604	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2056	3056	popcorn.exe	28
PID 3056 wrote to memory of 2056	3056	popcorn.exe	28
PID 3056 wrote to memory of 2056	3056	popcorn.exe	28
PID 3056 wrote to memory of 2056	3056	popcorn.exe	28
PID 2056 wrote to memory of 2676	2056	cmd.exe	30
PID 2056 wrote to memory of 2676	2056	cmd.exe	30
PID 2056 wrote to memory of 2676	2056	cmd.exe	30
PID 2056 wrote to memory of 2676	2056	cmd.exe	30
PID 2056 wrote to memory of 2824	2056	cmd.exe	31
PID 2056 wrote to memory of 2824	2056	cmd.exe	31
PID 2056 wrote to memory of 2824	2056	cmd.exe	31
PID 2056 wrote to memory of 2824	2056	cmd.exe	31
PID 2056 wrote to memory of 2664	2056	cmd.exe	32
PID 2056 wrote to memory of 2664	2056	cmd.exe	32
PID 2056 wrote to memory of 2664	2056	cmd.exe	32
PID 2056 wrote to memory of 2664	2056	cmd.exe	32
PID 2056 wrote to memory of 2868	2056	cmd.exe	33
PID 2056 wrote to memory of 2868	2056	cmd.exe	33
PID 2056 wrote to memory of 2868	2056	cmd.exe	33
PID 2056 wrote to memory of 2868	2056	cmd.exe	33
PID 2056 wrote to memory of 2808	2056	cmd.exe	34
PID 2056 wrote to memory of 2808	2056	cmd.exe	34
PID 2056 wrote to memory of 2808	2056	cmd.exe	34
PID 2056 wrote to memory of 2808	2056	cmd.exe	34
PID 2056 wrote to memory of 2564	2056	cmd.exe	35
PID 2056 wrote to memory of 2564	2056	cmd.exe	35
PID 2056 wrote to memory of 2564	2056	cmd.exe	35
PID 2056 wrote to memory of 2564	2056	cmd.exe	35
PID 2056 wrote to memory of 2836	2056	cmd.exe	37
PID 2056 wrote to memory of 2836	2056	cmd.exe	37
PID 2056 wrote to memory of 2836	2056	cmd.exe	37
PID 2056 wrote to memory of 2836	2056	cmd.exe	37
PID 2056 wrote to memory of 2604	2056	cmd.exe	38
PID 2056 wrote to memory of 2604	2056	cmd.exe	38
PID 2056 wrote to memory of 2604	2056	cmd.exe	38
PID 2056 wrote to memory of 2604	2056	cmd.exe	38
PID 2056 wrote to memory of 1604	2056	cmd.exe	40
PID 2056 wrote to memory of 1604	2056	cmd.exe	40
PID 2056 wrote to memory of 1604	2056	cmd.exe	40
PID 2056 wrote to memory of 1604	2056	cmd.exe	40
PID 2056 wrote to memory of 2872	2056	cmd.exe	41
PID 2056 wrote to memory of 2872	2056	cmd.exe	41
PID 2056 wrote to memory of 2872	2056	cmd.exe	41
PID 2056 wrote to memory of 2872	2056	cmd.exe	41
PID 2056 wrote to memory of 2168	2056	cmd.exe	42
PID 2056 wrote to memory of 2168	2056	cmd.exe	42
PID 2056 wrote to memory of 2168	2056	cmd.exe	42
PID 2056 wrote to memory of 2168	2056	cmd.exe	42
PID 2056 wrote to memory of 1932	2056	cmd.exe	43
PID 2056 wrote to memory of 1932	2056	cmd.exe	43
PID 2056 wrote to memory of 1932	2056	cmd.exe	43
PID 2056 wrote to memory of 1932	2056	cmd.exe	43
PID 2056 wrote to memory of 1852	2056	cmd.exe	44
PID 2056 wrote to memory of 1852	2056	cmd.exe	44
PID 2056 wrote to memory of 1852	2056	cmd.exe	44
PID 2056 wrote to memory of 1852	2056	cmd.exe	44
PID 2056 wrote to memory of 2708	2056	cmd.exe	45
PID 2056 wrote to memory of 2708	2056	cmd.exe	45
PID 2056 wrote to memory of 2708	2056	cmd.exe	45
PID 2056 wrote to memory of 2708	2056	cmd.exe	45
PID 2056 wrote to memory of 2756	2056	cmd.exe	46
PID 2056 wrote to memory of 2756	2056	cmd.exe	46
PID 2056 wrote to memory of 2756	2056	cmd.exe	46
PID 2056 wrote to memory of 2756	2056	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\popcorn.exe
"C:\Users\Admin\AppData\Local\Temp\popcorn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\popcorn.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2824
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2664
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2868
- - C:\Windows\SysWOW64\find.exe
    find /i "IPv4"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1604
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2872
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2168
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=DISABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1932
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1852
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2708
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2756
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1828
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1052
- - C:\Windows\SysWOW64\mode.com
    mode 1000
    3⤵
    PID:476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\Desktop" /v Wallpaper
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Control Panel\Desktop" /v Wallpaper
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:692
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe user32.dll, UpdatePerUserSystemParameters
    3⤵
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\9K21JM10B.439a

Filesize
2KB

MD5
6517e6a400a6513826b6645c05ba65dd

SHA1
7276d90aba97c29b48cd18f45ffbea97e44dfa05

SHA256
53d77f189d31e39e0c6db5f536365e5fb20dca8f18926fdd1f79e9b7b7e3b41c

SHA512
399959af3d6c502546092ce01d510564325e3d6fd1d170903ff6e19d92d9666a6ff48f63a6d0b608dc7581b8157c780efd159362b620d0eb2307869e1b5f125d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\AN.png

Filesize
750KB

MD5
bd767d7393fc891f04827e29c4965e22

SHA1
c2fb78e76c7c6e560a53ab32e8157382ce9bb1b4

SHA256
41311240c7dbf7718880577ca5961a924cc2257e604f47f9b189dc16dfb9ed09

SHA512
91fc7c447b6d425df25e666afa80dd6a51d5afcbbc9bb309b176ec56bc60f0af4f7063ed7adf65d044c8fa8f4148ca7ffd81cbcff6bc972b0b3e1ba61b5f9389

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\OIP__1_-removebg-preview.png

Filesize
96KB

MD5
192e86ff665955dd5c2055e441d483db

SHA1
ce610739104dc09943f5766c323ed72f3d3d243d

SHA256
8749f34c70444763ea089c5214ffa7a78df8781be129111ceab11f5241763aef

SHA512
842578bf6e733b6f1e5ccaf2a04f8abb4a937e617cfd862d0b924069cc1ff3bd8a2f3143265d3fb48555b0c400a371d5f6944ea6eed36d4c1d9b119564247f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\en.png

Filesize
199KB

MD5
b5f9f6595ec0b619595bae86b7eb7f1e

SHA1
5a2ca9aa9e74efeec819bb9d126c74d1ac5d4822

SHA256
fc69c6a23bcab6fd0789b3cfe302b37b4b740391fbca941a8f99e1542acaa692

SHA512
61a479cd17199db34e953654efd6637e6f5a919d0d1d48a440a460d15a8d8f6fae98698042e95735acfe585f52e6dc9b99377fcb11768cd32030aa77119916d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC50.tmp\popcorn.bat

Filesize
3KB

MD5
c9b9367cd8f0cf2e6d961c171854a3bc

SHA1
3e0401f5aea8542528da1ec32fb0b01091d99e7d

SHA256
30e2ff1f510fad33a21e8a90987f1f9362f22264a6b12f21357d8b6861772cce

SHA512
8029f1ab10d517e03ccfc3a9d8cdeca63326e414bf2419313d3e12a7575ffa2b979c8bc4a7853bd5cfa27f686c8a9d3412dda000702400be73b9752e67207e83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads