Analysis
-
max time kernel
147s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 14:37
Static task
static1
General
-
Target
x86_64-win64-ranlib.rar
-
Size
101.6MB
-
MD5
360e220a0ad7d7771381380291d1fdca
-
SHA1
8540aff3ff35c33a3537da15d7f59c87dbf367d6
-
SHA256
14fa452afcc4ff5ee00c88e603f670af754af1f8d0f53ae7cbaaa4b8c44afe1d
-
SHA512
0dc66bbcfdc3beb5f091c7f8fddf1148c89f98cd5ee177e1d7b4774ca224d6667e3fb8b14e0a198b3f6cfc8f27f1396cc4758db1852a25d0d72df17cb6ba8eee
-
SSDEEP
3145728:UMqnPiVuViUkukCc63AwWkFb6xuMPPXhz:ULnS0dkuk7ukuePh
Malware Config
Extracted
lumma
https://racklilekwqp.shop/api
https://locatedblsoqp.shop/api
https://traineiwnqo.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
win64.exepid process 1052 win64.exe -
Loads dropped DLL 1 IoCs
Processes:
win64.exepid process 1052 win64.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
win64.exedescription pid process target process PID 1052 set thread context of 3276 1052 win64.exe aspnet_regiis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 920 3276 WerFault.exe aspnet_regiis.exe 3396 3276 WerFault.exe aspnet_regiis.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
win64.exeaspnet_regiis.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe -
Modifies registry class 3 IoCs
Processes:
cmd.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 4676 7zG.exe Token: 35 4676 7zG.exe Token: SeSecurityPrivilege 4676 7zG.exe Token: SeSecurityPrivilege 4676 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 4676 7zG.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 4856 OpenWith.exe 2752 OpenWith.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
win64.exedescription pid process target process PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe PID 1052 wrote to memory of 3276 1052 win64.exe aspnet_regiis.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib.rar1⤵
- Modifies registry class
PID:436
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4856
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2608
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\" -spe -an -ai#7zMap22102:118:7zEvent26631⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676
-
C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\win64.exe"C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\win64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 11883⤵
- Program crash
PID:920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 12283⤵
- Program crash
PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3276 -ip 32761⤵PID:880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3276 -ip 32761⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
482KB
MD5cb452ff0e3988a8c7fb41688ec781075
SHA1b290b4abf85e9ea8e936074af87a80a46a428d82
SHA256c0afba25a5bee7ede2e6613ee37cc06798eaa01db001818c8f170da140deab7c
SHA51249df21c1362bdb12b908a2c8fbd9e4b671f32cd6505bc799500a831387c7c8bf302862dc003f7ebdd6d7b11f980bed2d28f5f7ac30550786af712f9336c98ec9
-
Filesize
269KB
MD52f09c68b10b5408c90e7c1a3cc6acb30
SHA13cfcca38337c19e8f9d0468153461a3dbb3fbab9
SHA256d4b670521fe8171afb54639e2ee31ae5d2474f2f4003e5535fe2cd4fa8d59163
SHA512f964a0aa40da7b6e470e8326b0f0ee50023e7ff4c2a9752e8ba2aefedddc3ee8ad3db69e350644aeddbfbe2768a8cb3e0898083e7901ed965b1927bdf61d85cf
-
Filesize
482KB
MD5527215990a163859c5839bcb63c33939
SHA185a5d60cbbf4e9711886dc45a31e99c9bbc826ca
SHA2569ff423e7e4032403d5edebd04950241bdeb393ea8d0a528aabd990a5f21ef9e6
SHA5127730558b4476144891d090091d001f734866314d6006ffc464adcaa7c616fade623a4da0e061d15fc71c7b487b0247c469009d2bc6e24cff2c57c7b96cfe24cc