Overview

overview

8

Static

static

WindowsFormsApp1.exe

windows7_x64

6

WindowsFormsApp1.exe

windows10_x64

8

Resubmissions

12/02/2022, 08:00

220212-jwe74ahgh6 8

12/01/2022, 18:56

220112-xlrd9sdfhm 8

12/01/2022, 06:29

220112-g9cm1sbdg5 6

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12/01/2022, 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsFormsApp1.exe

  • Size

    117KB

  • MD5

    e7138eb2f838114591d0917050710bff

  • SHA1

    55f4b508ed4ed8e6650057b7a7538fda9dbdf2e7

  • SHA256

    bb0bca92cc74cac6b770649c5e70b0f4fd177de58fcfc7c719223485624dc28b

  • SHA512

    09a05490a40a05e1df42022742512a417c1a6970c06f32e445fb4aa12a123ea72f7cb2ed4da1ac1365229114c18578ae3e4baecbd653f81b77cf750a86554cc2

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 14 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"
    1⤵
    • Drops desktop.ini file(s)
    PID:1932
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
    1⤵
    • Modifies registry class
    PID:540
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:832
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
      1⤵
      • Modifies registry class
      PID:1616
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MergeWrite.easmx.JEBAĆ_BYDGOSZCZ!!!
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1680

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/540-60-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-55-0x00000000008B0000-0x00000000008D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1932-56-0x00000000008B0000-0x00000000008D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1932-57-0x0000000076511000-0x0000000076513000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-58-0x0000000000490000-0x0000000000491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-59-0x0000000000495000-0x00000000004A6000-memory.dmp

      Filesize

      68KB

      Download