a0c5b8f728ee17e96b5e49b9ba5de873331dda3f5751efc0665d22b3491c6139

Reason

Remote task has failed: Machine shutdown

General

Target

CARGO ARRIVAL.lzh.rar
Size

467KB
MD5

ded00ce5f2d97d2c052322e83c814d20
SHA1

653cbc3dcfd352a478850dc8f05080e219a2655a
SHA256

a0c5b8f728ee17e96b5e49b9ba5de873331dda3f5751efc0665d22b3491c6139
SHA512

81b485312c966fc00f70cb7ba3acd732fe9cdf9029afc45963a190f1ce306e52f7a74e31eb957b90d6a9b3ada579590929436db9e4eb7ea88c74d5fe2bd9dcb7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1676 vlc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

taskmgr.exe

pid	process
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1676 vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	436	taskmgr.exe
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

vlc.exetaskmgr.exe

pid	process
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
1676	vlc.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

vlc.exetaskmgr.exe

pid	process
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
1676	vlc.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
1676	vlc.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe
436	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1676 vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1048 wrote to memory of 1960	1048	cmd.exe	rundll32.exe
PID 1048 wrote to memory of 1960	1048	cmd.exe	rundll32.exe
PID 1048 wrote to memory of 1960	1048	cmd.exe	rundll32.exe
PID 1960 wrote to memory of 1676	1960	rundll32.exe	vlc.exe
PID 1960 wrote to memory of 1676	1960	rundll32.exe	vlc.exe
PID 1960 wrote to memory of 1676	1960	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CARGO ARRIVAL.lzh.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CARGO ARRIVAL.lzh.rar
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\CARGO ARRIVAL.lzh.rar"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:396

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-68-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/952-66-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1048-60-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads