Analysis Overview
SHA256
f4ac3bde40922f23b307cf8032064b9b268cf8f95e7e54f2e710683e13b445ea
Threat Level: Likely malicious
The file Randomize.rar was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Executes dropped EXE
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:09
Reported
2024-11-13 17:10
Platform
win11-20241007-de
Max time kernel
39s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\puOzLZArzlF\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\puOzLZArzlF" | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ySjIjNmChocd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ySjIjNmChocd" | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tZJuLHJqVXivpDbJZyfRTJ\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tZJuLHJqVXivpDbJZyfRTJ" | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\Desktop\Randomize\kdmapper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4532 wrote to memory of 2064 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\Desktop\Randomize\kdmapper.exe |
| PID 4532 wrote to memory of 2064 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\Desktop\Randomize\kdmapper.exe |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Randomize.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Randomize\kdmapper.exe
"C:\Users\Admin\Desktop\Randomize\kdmapper.exe" C:\Users\Admin\Desktop\Randomize\randomize.sys
C:\Users\Admin\Desktop\Randomize\kdmapper.exe
"C:\Users\Admin\Desktop\Randomize\kdmapper.exe" C:\Users\Admin\Desktop\Randomize\randomize.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Randomize\RandomizeSerials.bat"
C:\Users\Admin\Desktop\Randomize\kdmapper.exe
kdmapper.exe randomize.sys
Network
Files
C:\Users\Admin\Desktop\Randomize\kdmapper.exe
| MD5 | 16e6f84941d4175471a4d6db98831a36 |
| SHA1 | 5ffacfd48f8fac4c3878e8dec15b2b70df9bc375 |
| SHA256 | 3d5afb02d8a85f2c31023c3696128aee172073d3accdb5156f44537ec804d489 |
| SHA512 | 9c69350c97f219cd2341b005b6ad036343383b28a117e0620e08a3e12b18139a83d77ab0c53247384d9e7605bf32d428ebd809f93ffdd8e715d8e384ef747fbc |
C:\Users\Admin\Desktop\Randomize\RandomizeSerials.bat
| MD5 | f7d420190092dc47710f18d353016067 |
| SHA1 | af549ec1b2ac0b08739ffa342f62acb5286f8506 |
| SHA256 | a85c5edd608950d8612f52a8ae1fb94dd1979891344f221f971ab0180bdcd0f1 |
| SHA512 | c076337f50e6ec9ac2be3231eafba568380f2ded6bd7341a280dd99740a25c1ec6a057583f36b9e1e63f7553969d3dd5421861ab288f2bd3df5f52cef7405568 |