Resubmissions
12-02-2022 08:00
220212-jwe74ahgh6 812-01-2022 18:56
220112-xlrd9sdfhm 812-01-2022 06:29
220112-g9cm1sbdg5 6Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
WindowsFormsApp1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
WindowsFormsApp1.exe
Resource
win10-en-20211208
General
-
Target
WindowsFormsApp1.exe
-
Size
117KB
-
MD5
e7138eb2f838114591d0917050710bff
-
SHA1
55f4b508ed4ed8e6650057b7a7538fda9dbdf2e7
-
SHA256
bb0bca92cc74cac6b770649c5e70b0f4fd177de58fcfc7c719223485624dc28b
-
SHA512
09a05490a40a05e1df42022742512a417c1a6970c06f32e445fb4aa12a123ea72f7cb2ed4da1ac1365229114c18578ae3e4baecbd653f81b77cf750a86554cc2
Malware Config
Signatures
-
Drops desktop.ini file(s) 3 IoCs
Processes:
WindowsFormsApp1.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini WindowsFormsApp1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini WindowsFormsApp1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini WindowsFormsApp1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 14 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!!\ = "JEBAĆ_BYDGOSZCZ!!!_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\JEBAĆ_BYDGOSZCZ!!!_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.JEBAĆ_BYDGOSZCZ!!! rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1680 NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"1⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!1⤵
- Modifies registry class
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!MD5
8a71b76e08f3a036624155c68dc06aca
SHA1d4b8b34fa54b0a0bea1486efaf92140571cb447e
SHA25600146b4135a15069c90ead332680dcd2ccbf23e396ee262556ff4caa92373991
SHA512f8da1b345cea82cf08465d94ac5ec651866d2cc2d4fecef61d8591c54808f6d5466e86ff962f465dd813ec3a2c7f6ae2ac798e1f06e7d142451f597ac53d8dcd
-
memory/540-60-0x000007FEFC151000-0x000007FEFC153000-memory.dmpFilesize
8KB
-
memory/1932-55-0x00000000008B0000-0x00000000008D2000-memory.dmpFilesize
136KB
-
memory/1932-56-0x00000000008B0000-0x00000000008D2000-memory.dmpFilesize
136KB
-
memory/1932-57-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB
-
memory/1932-58-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1932-59-0x0000000000495000-0x00000000004A6000-memory.dmpFilesize
68KB