7322d721bf1f0d3605afed4f865595141cc06a2ce96b2aaa68b8fffdb282cd0f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:38

Target

Mussu.zip
Size

16.5MB
MD5

ebc28e01f24dba43a859200fb894aec1
SHA1

3410e083ad0a952961afdd8dfe17144fa1d67b4c
SHA256

7322d721bf1f0d3605afed4f865595141cc06a2ce96b2aaa68b8fffdb282cd0f
SHA512

8ade27a7e862799effcf4010993b3f774eead684ca724d206773a6d20743636f03d9e07897f0bc938ddb97dcfdb165b018645672c716e4a37fa849cfe86e0e21
SSDEEP

393216:cC+UQFs/q/zi0CvxynQzueshfscw2EBIM0ogPyw3gq:coms/azXnQcZwlBIM0ogPh3gq

Score

7^/10

themida

Executes dropped EXE 2 IoCs

Processes:

BraveBrowser.exeBraveBrowser.exe

pid process

2224 BraveBrowser.exe
3052 BraveBrowser.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

1188
1188

pid	process
2224	BraveBrowser.exe
3052	BraveBrowser.exe

pid	process
1188
1188

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

Processes:

resource	yara_rule
\Users\Admin\Desktop\BraveBrowser.exe	themida
behavioral1/memory/2224-5-0x000000013FCA0000-0x000000014147E000-memory.dmp	themida
behavioral1/memory/3052-16-0x000000013FD10000-0x00000001414EE000-memory.dmp	themida
behavioral1/memory/3052-17-0x000000013FD10000-0x00000001414EE000-memory.dmp	themida

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2124 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1500 7zFM.exe

pid	process
2124	NOTEPAD.EXE

pid	process
1500	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe

pid process

1500 7zFM.exe
1500 7zFM.exe
1500 7zFM.exe
1500 7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7zFM.exe

description	pid	process	target process
PID 1500 wrote to memory of 2124	1500	7zFM.exe	NOTEPAD.EXE
PID 1500 wrote to memory of 2124	1500	7zFM.exe	NOTEPAD.EXE
PID 1500 wrote to memory of 2124	1500	7zFM.exe	NOTEPAD.EXE

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mussu.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCD5B6DD7\TUTORIAL.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2124

C:\Users\Admin\Desktop\BraveBrowser.exe
"C:\Users\Admin\Desktop\BraveBrowser.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\Desktop\BraveBrowser.exe
"C:\Users\Admin\Desktop\BraveBrowser.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\7zOCD5B6DD7\TUTORIAL.txt

Filesize
481B

MD5
6f259b69b9720f9bb75ac8ee6f69596b

SHA1
080986dbccf15311690356d554f3cb59e8afa12f

SHA256
48586f5229b653859eb3e76551704d5a49cc7759f0495e7d9c8f02c21f03c322

SHA512
885c79e6dfa65dc57e261b7eebc66a008ce979e1e48bd5ffdd594cb22e8cca2ba96178b35c8782b3de6cbe8d759a12f800ce0f44bc7cd4577e9132da50e48887

Download Submit
\Users\Admin\Desktop\BraveBrowser.exe

Filesize
17.0MB

MD5
89e53d5098cdd2dc6a71ca41236844d1

SHA1
b67cac83578cb28082a40b3d16adee8f2b4ab9b4

SHA256
62c9b8ba6a0eca0cd348724b5b3a9cfac8e25dcb4b16d6f817c5a97651beaa08

SHA512
4b0a4f6d71b38c55324c7325c3c24f18dc2559ba7595bcb47a70540b64a596c407466a00df2f2026a0e13169a3863fbbc833639e05ec6fbcb54a89a2de059527

Download Submit
memory/2224-5-0x000000013FCA0000-0x000000014147E000-memory.dmp

Filesize
23.9MB

Download
memory/3052-16-0x000000013FD10000-0x00000001414EE000-memory.dmp

Filesize
23.9MB

Download
memory/3052-17-0x000000013FD10000-0x00000001414EE000-memory.dmp

Filesize
23.9MB

Download