194bbbe678f8f36fd11a7fe6053c8dfc8f4d304cc5c7097c03ff6ca301d052a9

General

Target

Lossless-Scaling-SteamRIP.com[1].rar
Size

44.4MB
MD5

d385a7c53e65b104d6619f14ff0b020c
SHA1

3274c0758ef45de6cd70eefd5a418e6780cd20d2
SHA256

194bbbe678f8f36fd11a7fe6053c8dfc8f4d304cc5c7097c03ff6ca301d052a9
SHA512

ebbc735a30c340d7e72b8fc0d2424d394eee84ba0f9324860210161f498c1956c71943c22324e4df62d59097893d71d62d3aa774130802e85832478f309b386e
SSDEEP

786432:4/pSQ2FZqm6cmyzKLkEzwHj8JrMSvddgDJulQCBX157WNxlSLG7aNwbdwO4pfPzs:4UjZqYmtJUD8JoSMJoNv7WQLQSwbqhI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
868	LosslessScaling.exe
1504	LosslessScaling.exe
1940	LosslessScaling.exe
3924	LosslessScaling.exe

Loads dropped DLL 4 IoCs

pid	Process
868	LosslessScaling.exe
1504	LosslessScaling.exe
1940	LosslessScaling.exe
3924	LosslessScaling.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Colors	LosslessScaling.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	7zFM.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3184	regedit.exe
4308	regedit.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4932	7zFM.exe
4932	7zFM.exe
868	LosslessScaling.exe
868	LosslessScaling.exe
1940	LosslessScaling.exe
1940	LosslessScaling.exe
3924	LosslessScaling.exe
3924	LosslessScaling.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4932	7zFM.exe
Token: 35	4932	7zFM.exe
Token: SeSecurityPrivilege	4932	7zFM.exe
Token: SeSecurityPrivilege	4932	7zFM.exe
Token: SeDebugPrivilege	868	LosslessScaling.exe
Token: SeDebugPrivilege	1940	LosslessScaling.exe
Token: SeDebugPrivilege	3924	LosslessScaling.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4932	7zFM.exe
4932	7zFM.exe
4932	7zFM.exe
4932	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
868	LosslessScaling.exe
1504	LosslessScaling.exe
1940	LosslessScaling.exe
3924	LosslessScaling.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3184	4932	7zFM.exe	87
PID 4932 wrote to memory of 3184	4932	7zFM.exe	87

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lossless-Scaling-SteamRIP.com[1].rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\7zO443D5CB7\_Lossless Scaling - Registry Fix.reg"
  2⤵
  - Runs .reg file with regedit
  PID:3184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4456

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\Lossless Scaling\_Lossless Scaling - Registry Fix.reg"
1⤵
- Runs .reg file with regedit
PID:4308

C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe
"C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868

C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe
"C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe
"C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe
"C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
ace795bd58a45d23bac1c6e60ec23df3

SHA1
88a78c643a5b10fc175886cc9cb12f45ef501492

SHA256
c34328175332f4cab70206ba70faf4dbc483d6b0d38f7f6af7d6dba3da9242b0

SHA512
11cde86b8ada81857036ebbd22cf6025a90f12d6048033fa43ffbb8fb30d0f6892a853c6521ee3719f031ba9b3906e374b86cd40568c536d1c2bf60027ef4985

Download Submit
C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
ca1ae192d665c772545d1ac5bba4c4ab

SHA1
b84751ad56d1308d10c1c611f011b2db1c1d5aeb

SHA256
62dd848dc795ba3ebbeb4de056343a6a068a26e265dbe2c1af18895bdea0ef33

SHA512
57dc89da0dbf4dfe7ed4e735b18a27a6bc05ba7c90c1bee9869593b94bf02108759cd99d5d7eeb24336e7793015a8dc72ad2de6cc6c199ba2948047c2beacd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LosslessScaling.exe.log

Filesize
3KB

MD5
137b687e9203dcd674ebe49c0652be64

SHA1
ca77ecea73ad7eeb8fa3709d9db24e0de9a28163

SHA256
a57fbb7a3fd76af170e70ed63bdea9f5329ad185c67fed985d95273b49846781

SHA512
2e5882816624e382dace7ce26374b2b2657501a76c3aca8dc2433850b5fde354af8d302d651f8b0544eed2256fc2a7f6596a2b1e4908a0eb2b6569a21bfa64c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO443D5CB7\_Lossless Scaling - Registry Fix.reg

Filesize
120B

MD5
a95106d7c9fc3fb18a2fbe1885de09dd

SHA1
3debdeee76208de099b80eff33949371f02bf575

SHA256
61df13bae98f10c330a751875146dd81bca223036d6470ebb9fffdc0b47f0fe2

SHA512
d81d70466f4ff81111d2a9d0a63cc7371d75568b1a1c5fe0aef638742cef30c92cddc20b22683d3fb32331d328dba57005a3698569e9edb10d1fc63ff29718b2

Download Submit
C:\Users\Admin\Desktop\Lossless Scaling\Lossless.dll

Filesize
279KB

MD5
7fbc0ab62cdb16cc5852a6d57590f2a1

SHA1
c5c70f574c2a75deb8e830947cc8f85e85817195

SHA256
44e8da2af39c6a8de828ee12ab53cbb38df210be59e6a99af0cedd031bcf4d3a

SHA512
c308457f5f50ce7fc305515da6b11885e6e33297e972921c23cb13fcbbe058e3d6f34ad8e04aef2008d9cb6a783949da3f54097533994913051901b5dae3ae75

Download Submit
C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe

Filesize
964KB

MD5
9cfb9984a53f41ebdf00f8f0633fde26

SHA1
a13985c15c6402d25c9e9c64f4e9947fd685635f

SHA256
4b07ba9c32b61773cfb0e2d7b13689c26a13a6dc463b9294aeb1d5e8e4159e8d

SHA512
2a768a77151353e693fb15abc4f72842c002043dece1920e8bddef04c2d620c7345650d369ccab463a72a55939ad7b3bf8fc8e9c3a6f55d8e7ab76ad331b5eea

Download Submit
C:\Users\Admin\Desktop\Lossless Scaling\LosslessScaling.exe.config

Filesize
174B

MD5
2a2df45a07478a1c77d5834c21f3d7fd

SHA1
f949e331f0d75ba38d33a072f74e2327c870d916

SHA256
051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

SHA512
1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Download Submit
memory/868-359-0x00000252E8710000-0x00000252E87F6000-memory.dmp

Filesize
920KB

Download
memory/868-362-0x00000252CE570000-0x00000252CE57A000-memory.dmp

Filesize
40KB

Download
memory/868-366-0x00000252EBC90000-0x00000252EBD42000-memory.dmp

Filesize
712KB

Download
memory/868-367-0x00000252EBE00000-0x00000252EBEBA000-memory.dmp

Filesize
744KB

Download
memory/868-368-0x00000252E9770000-0x00000252E97A8000-memory.dmp

Filesize
224KB

Download
memory/868-369-0x00000252EBDF0000-0x00000252EBDF8000-memory.dmp

Filesize
32KB

Download
memory/868-371-0x00000252ECCD0000-0x00000252ECCDE000-memory.dmp

Filesize
56KB

Download
memory/868-361-0x00000252CE560000-0x00000252CE568000-memory.dmp

Filesize
32KB

Download
memory/868-360-0x00000252CFF70000-0x00000252CFF96000-memory.dmp

Filesize
152KB

Download
memory/868-358-0x00000252CE040000-0x00000252CE136000-memory.dmp

Filesize
984KB

Download

Resubmissions

Analysis

Sharing