c8316cdcf1228e049c3bc470d4c881827f912cb3cc5a9012145d2c8160e56428

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/11/2024, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Арр-1.0.9-x64-ReleaseВ.zip
Size

55.1MB
MD5

e785d8b3eb3095653da5a33af913c838
SHA1

4e52b5da12d92bf1a8b87b00107cc60c1231fb1e
SHA256

c8316cdcf1228e049c3bc470d4c881827f912cb3cc5a9012145d2c8160e56428
SHA512

d0c2a411138af741e008e85fec2e3b56dd5cd7d6dabdd25f35a6120517a7eb520e6567777c4497d54baff75c3e15e27c8776c162d40b36abed34c571474f8868
SSDEEP

1572864:ApiQeJzIiEkrF4jYEJYRanE4Ap645ur38:5JEiTh4ZKqLg04

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoB.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
484	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3468	7zFM.exe
3468	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3468	7zFM.exe
4792	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3468	7zFM.exe
Token: 35	3468	7zFM.exe
Token: SeSecurityPrivilege	3468	7zFM.exe
Token: SeSecurityPrivilege	3468	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3468	7zFM.exe
3468	7zFM.exe
3468	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4792	OpenWith.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 484	3468	7zFM.exe	78
PID 3468 wrote to memory of 484	3468	7zFM.exe	78
PID 3972 wrote to memory of 3196	3972	XenoB.exe	92
PID 3972 wrote to memory of 3196	3972	XenoB.exe	92
PID 3972 wrote to memory of 3196	3972	XenoB.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Арр-1.0.9-x64-ReleaseВ.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC8D4CEE7\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Xeno\XenoB.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Xeno\XenoB.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Xeno\XenoB.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Xeno\XenoB.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:224

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1324

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:768

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3576

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
PID:4684

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
PID:4164

C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe
"C:\Users\Admin\Desktop\Release\Xeno\XenoB.exe"
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC8D4CEE7\README.txt

Filesize
116B

MD5
c4a4951af1fa873001f20d417b911300

SHA1
716446b4cb405a88d51b3ca5f682ef2b5dea5be7

SHA256
f5d5dcf0bf3cfe86d237d5b998112c3ac734dcfbd0ae3cf4b820bc9ce607ca43

SHA512
935999bc3ba6c10535fded350f9cd1cd9500f50e4f2707a0f91f7111aefca72fbc3e2de0bcba70763f84ca01c8cf885714175c4100a9f51564a18da2c048f53b

Download Submit
memory/224-49-0x00000000008E0000-0x0000000000ED0000-memory.dmp

Filesize
5.9MB

Download
memory/224-34-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-28-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-29-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-31-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-35-0x0000000003150000-0x000000000331F000-memory.dmp

Filesize
1.8MB

Download
memory/224-32-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-30-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/224-27-0x0000000003150000-0x000000000331F000-memory.dmp

Filesize
1.8MB

Download
memory/224-24-0x00000000008E0000-0x0000000000ED0000-memory.dmp

Filesize
5.9MB

Download
memory/224-33-0x0000000003320000-0x0000000003382000-memory.dmp

Filesize
392KB

Download
memory/768-61-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-53-0x00000000008E0000-0x0000000000ED0000-memory.dmp

Filesize
5.9MB

Download
memory/768-58-0x00000000038C0000-0x0000000003A8F000-memory.dmp

Filesize
1.8MB

Download
memory/768-59-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-63-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-62-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-60-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-66-0x00000000038C0000-0x0000000003A8F000-memory.dmp

Filesize
1.8MB

Download
memory/768-65-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/768-64-0x00000000015D0000-0x000000000162A000-memory.dmp

Filesize
360KB

Download
memory/1324-52-0x00000000008E0000-0x0000000000ED0000-memory.dmp

Filesize
5.9MB

Download
memory/1324-36-0x00000000008E0000-0x0000000000ED0000-memory.dmp

Filesize
5.9MB

Download
memory/1324-39-0x00000000030F0000-0x00000000032BF000-memory.dmp

Filesize
1.8MB

Download
memory/1324-41-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-45-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-46-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-47-0x00000000030F0000-0x00000000032BF000-memory.dmp

Filesize
1.8MB

Download
memory/1324-40-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-42-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-43-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/1324-44-0x0000000000780000-0x00000000007E2000-memory.dmp

Filesize
392KB

Download
memory/3196-55-0x0000000000D70000-0x0000000001360000-memory.dmp

Filesize
5.9MB

Download
memory/3196-69-0x0000000003B60000-0x0000000003D2F000-memory.dmp

Filesize
1.8MB

Download
memory/3972-51-0x0000000000D70000-0x0000000001360000-memory.dmp

Filesize
5.9MB

Download
memory/3972-11-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-13-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-18-0x0000000000D70000-0x0000000001360000-memory.dmp

Filesize
5.9MB

Download
memory/3972-14-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-16-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-15-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-12-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-10-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/3972-9-0x0000000003F90000-0x000000000415F000-memory.dmp

Filesize
1.8MB

Download
memory/3972-8-0x0000000003F90000-0x000000000415F000-memory.dmp

Filesize
1.8MB

Download
memory/3972-7-0x0000000003A10000-0x0000000003B82000-memory.dmp

Filesize
1.4MB

Download
memory/3972-6-0x0000000000D70000-0x0000000001360000-memory.dmp

Filesize
5.9MB

Download
memory/3972-17-0x0000000003F90000-0x000000000415F000-memory.dmp

Filesize
1.8MB

Download