Analysis
-
max time kernel
1051s -
max time network
844s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
05-12-2021 21:27
Static task
static1
Behavioral task
behavioral1
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
IlusionChecker.7z
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
IlusionChecker.7z
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
IlusionChecker.7z
Resource
win10-en-20211104
General
-
Target
IlusionChecker.7z
-
Size
3.6MB
-
MD5
ffdcbdd06ed59b0c4a507cac8d575913
-
SHA1
de5e9d4384db0866f083db001217373b34451ea6
-
SHA256
eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca
-
SHA512
09765eac9a6f6dd493a6907e20f07e756ae443bdb7a2e10233161e179fc46669fa5796b91df57a3e5cf3607d1f9fb4ab33e002e2b596699115b624f09b3dc5b5
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\7z_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\.7z rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 572 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 572 AcroRd32.exe 572 AcroRd32.exe 572 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 724 wrote to memory of 556 724 cmd.exe rundll32.exe PID 724 wrote to memory of 556 724 cmd.exe rundll32.exe PID 724 wrote to memory of 556 724 cmd.exe rundll32.exe PID 556 wrote to memory of 572 556 rundll32.exe AcroRd32.exe PID 556 wrote to memory of 572 556 rundll32.exe AcroRd32.exe PID 556 wrote to memory of 572 556 rundll32.exe AcroRd32.exe PID 556 wrote to memory of 572 556 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\IlusionChecker.7z1⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\IlusionChecker.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IlusionChecker.7z"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:572