Malware Analysis Report

2025-01-03 09:40

Sample ID 241022-214elaydqb
Target Trojan-Ransom.Python.ChastityLock-Archived.zip
SHA256 b4925cf89244fe0fcd7a70803c93a7890941176d8a8ed41c3bdf513335958d87
Tags
qr link
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

b4925cf89244fe0fcd7a70803c93a7890941176d8a8ed41c3bdf513335958d87

Threat Level: Likely benign

The file Trojan-Ransom.Python.ChastityLock-Archived.zip was found to be: Likely benign.

Malicious Activity Summary

qr link

One or more HTTP URLs in qr code identified

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 23:03

Signatures

One or more HTTP URLs in qr code identified

qr link

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:04

Platform

win11-20241007-en

Max time kernel

10s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Python.ChastityLock-Archived.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Python.ChastityLock-Archived.zip"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:06

Platform

win11-20240802-en

Max time kernel

139s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\1.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\1.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:06

Platform

win11-20241007-en

Max time kernel

90s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\2.jpg

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\2.jpg

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:06

Platform

win11-20241007-en

Max time kernel

91s

Max time network

96s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\3.jpg

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\3.jpg

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:06

Platform

win11-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\4.jpg

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\4.jpg

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-22 23:03

Reported

2024-10-22 23:06

Platform

win11-20241007-en

Max time kernel

92s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\5.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Archived\5.png

Network

Files

N/A