a0c5b8f728ee17e96b5e49b9ba5de873331dda3f5751efc0665d22b3491c6139

Resubmissions

22-07-2021 11:00

210722-m2kz6n4z42 3

22-07-2021 10:54

210722-8jxzhfgbvn 3

Analysis

max time kernel
67s
max time network
114s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 11:00

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

CARGO ARRIVAL.lzh.rar
Size

467KB
MD5

ded00ce5f2d97d2c052322e83c814d20
SHA1

653cbc3dcfd352a478850dc8f05080e219a2655a
SHA256

a0c5b8f728ee17e96b5e49b9ba5de873331dda3f5751efc0665d22b3491c6139
SHA512

81b485312c966fc00f70cb7ba3acd732fe9cdf9029afc45963a190f1ce306e52f7a74e31eb957b90d6a9b3ada579590929436db9e4eb7ea88c74d5fe2bd9dcb7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 1240	1656	cmd.exe	rundll32.exe
PID 1656 wrote to memory of 1240	1656	cmd.exe	rundll32.exe
PID 1656 wrote to memory of 1240	1656	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CARGO ARRIVAL.lzh.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CARGO ARRIVAL.lzh.rar
2⤵
- Modifies registry class
PID:1240

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-66-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1328-64-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1656-59-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download