Resubmissions
12/02/2022, 08:00
220212-jwe74ahgh6 812/01/2022, 18:56
220112-xlrd9sdfhm 812/01/2022, 06:29
220112-g9cm1sbdg5 6Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/01/2022, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
WindowsFormsApp1.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
WindowsFormsApp1.exe
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
WindowsFormsApp1.exe
-
Size
117KB
-
MD5
e7138eb2f838114591d0917050710bff
-
SHA1
55f4b508ed4ed8e6650057b7a7538fda9dbdf2e7
-
SHA256
bb0bca92cc74cac6b770649c5e70b0f4fd177de58fcfc7c719223485624dc28b
-
SHA512
09a05490a40a05e1df42022742512a417c1a6970c06f32e445fb4aa12a123ea72f7cb2ed4da1ac1365229114c18578ae3e4baecbd653f81b77cf750a86554cc2
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini WindowsFormsApp1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini WindowsFormsApp1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini WindowsFormsApp1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!!\ = "JEBAĆ_BYDGOSZCZ!!!_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!! rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1680 NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"1⤵
- Drops desktop.ini file(s)
PID:1932
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!1⤵
- Modifies registry class
PID:540
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:832
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!1⤵
- Modifies registry class
PID:1616 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!2⤵
- Opens file in notepad (likely ransom note)
PID:1680
-