7728801d200d18fb1824faa0199d8eeef78d1bebb74b1c1ec7d6c040b5992dba

Analysis

max time kernel
102s
max time network
69s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/app-64.7z
Size

74.8MB
MD5

dc8b9e11629b0428d884f11b5aabf7a0
SHA1

37c5d1a15e39aecf185481de12ef3cbf11a1c3f8
SHA256

2f4bb34d0c7a7f2f4fd7d8776fbb74eb7fc543ea555a4c3403d5436d4f6e760d
SHA512

2263d3d8281de36bbb4ba55b11024245917535cdfb28df2c56aacbe0c32266649c9b8c621e90ea74e3b1916ef240b3e873569294214a057518d067b88562176b
SSDEEP

1572864:xJ39Kk9MWTI/m2cB8ceyIS7nqYdd6hIEhSmn6nlN/oFuA:Ik9MWTI/mN/vP7nMhJnUXo0A

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2876	fifinemixerSetup.exe
1168	elevate.exe
2468	elevate.exe
1712	elevate.exe

Loads dropped DLL 4 IoCs

pid	Process
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elevate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elevate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elevate.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.asar\ = "asar_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.asar	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\asar_auto_file\shell\open\command	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3068	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2420	7zFM.exe
Token: 35	2420	7zFM.exe
Token: SeSecurityPrivilege	2420	7zFM.exe
Token: SeSecurityPrivilege	2420	7zFM.exe
Token: SeSecurityPrivilege	2420	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2420	7zFM.exe
2420	7zFM.exe
2420	7zFM.exe
2420	7zFM.exe
3068	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3068	2668	rundll32.exe	35
PID 2668 wrote to memory of 3068	2668	rundll32.exe	35
PID 2668 wrote to memory of 3068	2668	rundll32.exe	35

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Users\Admin\Desktop\fifinemixerSetup.exe
"C:\Users\Admin\Desktop\fifinemixerSetup.exe"
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\app.asar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\app.asar
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:3068

C:\Users\Admin\Desktop\elevate.exe
"C:\Users\Admin\Desktop\elevate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168

C:\Users\Admin\Desktop\elevate.exe
"C:\Users\Admin\Desktop\elevate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468

C:\Users\Admin\Desktop\elevate.exe
"C:\Users\Admin\Desktop\elevate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\app.asar

Filesize
28.4MB

MD5
dc57c19e7f2dea81d9b4b9d4f42719e9

SHA1
4704b45bec0a3812294e36432925b12531fb6dee

SHA256
43ddf82aab7a36a77c53728bb5a5596ce1dedf5d71a5580910bbcc8b474329b0

SHA512
ca58359c2cc563f766deaf3cc401065205d5cc2099a981ed50610f757cf9ecd38285afd8774390b11eb1a53c16531d1cad50f502fc0f6d431f44155c29c054ba

Download Submit
C:\Users\Admin\Desktop\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit