bb0bca92cc74cac6b770649c5e70b0f4fd177de58fcfc7c719223485624dc28b

Resubmissions

12-02-2022 08:00

220212-jwe74ahgh6 8

12-01-2022 18:56

220112-xlrd9sdfhm 8

12-01-2022 06:29

220112-g9cm1sbdg5 6

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-01-2022 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsFormsApp1.exe
Size

117KB
MD5

e7138eb2f838114591d0917050710bff
SHA1

55f4b508ed4ed8e6650057b7a7538fda9dbdf2e7
SHA256

bb0bca92cc74cac6b770649c5e70b0f4fd177de58fcfc7c719223485624dc28b
SHA512

09a05490a40a05e1df42022742512a417c1a6970c06f32e445fb4aa12a123ea72f7cb2ed4da1ac1365229114c18578ae3e4baecbd653f81b77cf750a86554cc2

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 3 IoCs

Processes:

WindowsFormsApp1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WindowsFormsApp1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	WindowsFormsApp1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 14 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!!\ = "JEBAĆ_BYDGOSZCZ!!!_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!!	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1680 NOTEPAD.EXE

pid	process
1680	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"
1⤵
- Drops desktop.ini file(s)
PID:1932

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
1⤵
- Modifies registry class
PID:540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:832

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
1⤵
- Modifies registry class
PID:1616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
2⤵
- Opens file in notepad (likely ransom note)
PID:1680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
MD5
8a71b76e08f3a036624155c68dc06aca

SHA1
d4b8b34fa54b0a0bea1486efaf92140571cb447e

SHA256
00146b4135a15069c90ead332680dcd2ccbf23e396ee262556ff4caa92373991

SHA512
f8da1b345cea82cf08465d94ac5ec651866d2cc2d4fecef61d8591c54808f6d5466e86ff962f465dd813ec3a2c7f6ae2ac798e1f06e7d142451f597ac53d8dcd

Download Submit
memory/540-60-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download
memory/1932-55-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/1932-56-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/1932-57-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/1932-58-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1932-59-0x0000000000495000-0x00000000004A6000-memory.dmp

Filesize
68KB

Download