7ba8dd69197379fc2fba05be5f2f20ef9ca7749d6c1bdcd2ba9d5de6e7598a20

Resubmissions

17/10/2024, 13:57

241017-q9mbwszfke 5

17/10/2024, 13:53

241017-q69ysatcmj 3

Analysis

max time kernel
140s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamebanned_2024_v1.zip
Size

1.0MB
MD5

f2f76c61e29007097869ada2ad9812dd
SHA1

8921cead68fa88bbd30b58f28f79f081120bf1fd
SHA256

7ba8dd69197379fc2fba05be5f2f20ef9ca7749d6c1bdcd2ba9d5de6e7598a20
SHA512

8e1abc2204c6dc521129fec4f5f6c069e24b170223fb4f52b59dfa86604763e22daa297ad3be243b16c005a59722d82023b8d7aae763ee55eb7fb89d7036fac3
SSDEEP

12288:TN9ZojhZExKZ0bnS9nAwuTPlubMoY+8U6XklFSlZfbRKQwOHGqbCYZdMYS3ETJxM:LZ8jWbSvAoT8elF+dLGqbCYYYSSxtgt

Score

1^/10

Malware Config

Signatures

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.text	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\鰀䆟縀䆁\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\鰀䆟縀䆁	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.text\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open\command	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2676	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1376	7zFM.exe
1376	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2028	7zFM.exe
1376	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2028	7zFM.exe
Token: 35	2028	7zFM.exe
Token: SeSecurityPrivilege	2028	7zFM.exe
Token: SeRestorePrivilege	1376	7zFM.exe
Token: 35	1376	7zFM.exe
Token: SeSecurityPrivilege	1376	7zFM.exe
Token: SeSecurityPrivilege	1376	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2028	7zFM.exe
2028	7zFM.exe
1376	7zFM.exe
1376	7zFM.exe
1376	7zFM.exe
1376	7zFM.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2676	1376	7zFM.exe	111
PID 1376 wrote to memory of 2676	1376	7zFM.exe	111
PID 3384 wrote to memory of 4092	3384	OpenWith.exe	113
PID 3384 wrote to memory of 4092	3384	OpenWith.exe	113

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\gamebanned_2024_v1.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\gamebanned_2024_v1\Hurtworld\bking"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO065FFB78\version.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO06506C88\.text
  2⤵
  PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO06506C88\.text

Filesize
159KB

MD5
7da6fccac94d51c3c6cd1dc9f9374cc1

SHA1
464c509231b5614ddbb46e70dc0f3d9980623e48

SHA256
4545eb7cba34da1ad8d0216a82719f9165d2a01051a5de4cce8ab04651163201

SHA512
b58f124b0363317dfbc2fef28953a7cbc1c434158816a901ee6984538d2a19a099b81a2da89ff490e9a4c1c1f81f7ae1715026eb048d5726d105fb8ec6c8e776

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO065FFB78\version.txt

Filesize
1KB

MD5
2b0b45af2b7b5567bf690dfa3b24fd19

SHA1
9a77af072c625b602786603070aba012f1feb2b9

SHA256
30cfcbebd15c2cb75cb7085fd00a770d048943fa9b8fad89338eda7cc3a95f08

SHA512
03409f27de3f0fc9d5152d59789292225d9dfcc899fdd26259899870d9f1a0f3ae43394d98b7037d6144292451802355c11a1589af05291c4034e343a64073b2

Download Submit
C:\Users\Admin\Desktop\gamebanned_2024_v1\Hurtworld\bking

Filesize
161KB

MD5
d4b00a911426084f614dfaeef71827f4

SHA1
69dc34efa9651221422bb367881e01073cf1a869

SHA256
449534a580989e797da5fced3a6a7f4c6981a2199b024b80e2136e8a8e2e97e1

SHA512
b69e76d0c9d2e740301f1a3c23529534f74ff062430e1191854a0bfdd5cf8eb7550f06887d5e62a6214fe47342149e168a1a2e095788f25e30ab122ae4ef0362

Download Submit