Malware Analysis Report

2024-12-07 11:37

Sample ID 241113-vpll3swekq
Target Randomize.rar
SHA256 f4ac3bde40922f23b307cf8032064b9b268cf8f95e7e54f2e710683e13b445ea
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f4ac3bde40922f23b307cf8032064b9b268cf8f95e7e54f2e710683e13b445ea

Threat Level: Likely malicious

The file Randomize.rar was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets service image path in registry

Executes dropped EXE

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:09

Reported

2024-11-13 17:10

Platform

win11-20241007-de

Max time kernel

39s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Randomize.rar"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\puOzLZArzlF\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\puOzLZArzlF" C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ySjIjNmChocd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ySjIjNmChocd" C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tZJuLHJqVXivpDbJZyfRTJ\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tZJuLHJqVXivpDbJZyfRTJ" C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\Randomize\kdmapper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\Randomize\kdmapper.exe
PID 4532 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\Randomize\kdmapper.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Randomize.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Randomize\kdmapper.exe

"C:\Users\Admin\Desktop\Randomize\kdmapper.exe" C:\Users\Admin\Desktop\Randomize\randomize.sys

C:\Users\Admin\Desktop\Randomize\kdmapper.exe

"C:\Users\Admin\Desktop\Randomize\kdmapper.exe" C:\Users\Admin\Desktop\Randomize\randomize.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Randomize\RandomizeSerials.bat"

C:\Users\Admin\Desktop\Randomize\kdmapper.exe

kdmapper.exe randomize.sys

Network

N/A

Files

C:\Users\Admin\Desktop\Randomize\kdmapper.exe

MD5 16e6f84941d4175471a4d6db98831a36
SHA1 5ffacfd48f8fac4c3878e8dec15b2b70df9bc375
SHA256 3d5afb02d8a85f2c31023c3696128aee172073d3accdb5156f44537ec804d489
SHA512 9c69350c97f219cd2341b005b6ad036343383b28a117e0620e08a3e12b18139a83d77ab0c53247384d9e7605bf32d428ebd809f93ffdd8e715d8e384ef747fbc

C:\Users\Admin\Desktop\Randomize\RandomizeSerials.bat

MD5 f7d420190092dc47710f18d353016067
SHA1 af549ec1b2ac0b08739ffa342f62acb5286f8506
SHA256 a85c5edd608950d8612f52a8ae1fb94dd1979891344f221f971ab0180bdcd0f1
SHA512 c076337f50e6ec9ac2be3231eafba568380f2ded6bd7341a280dd99740a25c1ec6a057583f36b9e1e63f7553969d3dd5421861ab288f2bd3df5f52cef7405568