Analysis
-
max time kernel
153s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-01-2022 01:50
Behavioral task
behavioral1
Sample
UnHAnaAW.arm7
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
UnHAnaAW.arm7
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
UnHAnaAW.arm7
-
Size
157KB
-
MD5
5a6f9f201e4ca6a7fdac10e632cb58b8
-
SHA1
930ce61517445d3401fa17e960c960772abd5b1b
-
SHA256
306a86a5f20c305839fc374206ddc20bc38c88531d602782351871b0826dec1b
-
SHA512
5aa41e11345d756f0e2d043e30cb47a7f0a2d42f1216da2b394580e69a3f88925adee9aa2612cee42ad353add2ab65220fd732048c352d34fcbb1147fbff543e
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\.arm7\ = "arm7_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\.arm7 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\arm7_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1908 wrote to memory of 768 1908 cmd.exe rundll32.exe PID 1908 wrote to memory of 768 1908 cmd.exe rundll32.exe PID 1908 wrote to memory of 768 1908 cmd.exe rundll32.exe PID 768 wrote to memory of 1680 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1680 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1680 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1680 768 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm71⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm72⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm7"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx