Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
cmlauncher.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
cmlauncher.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
installer.rar
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
installer.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
winrar-x64.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
winrar-x64.exe
Resource
win10v2004-20240226-en
General
-
Target
installer.rar
-
Size
2.2MB
-
MD5
932e1521933cb130a32417ebefcd7f65
-
SHA1
6498a4ef4a5aa03a4a244a4e1786f89fcc135a18
-
SHA256
fc9b9cc6bc5073977a2b4f50f6e0c7583106019a8e642514aa9dc11666013366
-
SHA512
2d56ea1b910972957fe0aa0e0457f7328392b723c88f36af873278383fa19d1c802a07bc42ab5d642cfbb257886c29df271c15980ea2c077fbf27bb3e9c49a73
-
SSDEEP
49152:WkiX7fzXIPeyum2UJCUle2JtQn7X/CI8pycA9QU3aB/F6UIS:IbzXenum2GtQL/zeyTo96TS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2488 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2488 vlc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
vlc.exepid process 2488 vlc.exe 2488 vlc.exe 2488 vlc.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
vlc.exepid process 2488 vlc.exe 2488 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2488 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2576 wrote to memory of 2632 2576 cmd.exe rundll32.exe PID 2576 wrote to memory of 2632 2576 cmd.exe rundll32.exe PID 2576 wrote to memory of 2632 2576 cmd.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2616 wrote to memory of 2488 2616 rundll32.exe vlc.exe PID 2616 wrote to memory of 2488 2616 rundll32.exe vlc.exe PID 2616 wrote to memory of 2488 2616 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\installer.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\installer.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\installer.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\installer.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2488