Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-01-2022 01:50
Static task
static1
Behavioral task
behavioral1
Sample
UnHAnaAW.arm5
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
UnHAnaAW.arm5
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
UnHAnaAW.arm5
-
Size
65KB
-
MD5
1ab9ba9183a1cfc793e53d95c053a94f
-
SHA1
0f89abb2535540236747f7509c00e7730805132b
-
SHA256
0e96c432e77949a73df5b0b52a741ce1d10e74aa5b2e70f7345dfd577d07a96c
-
SHA512
005a5516047e719e70278945aec4a17cd0ba536551e89251d466dd513c3aa5ac4977a1565cc751baa224fee267aa6481f9dce5463260c8f8eede07243952e569
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.arm5 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\.arm5\ = "arm5_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\arm5_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1380 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1380 AcroRd32.exe 1380 AcroRd32.exe 1380 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 864 wrote to memory of 592 864 cmd.exe rundll32.exe PID 864 wrote to memory of 592 864 cmd.exe rundll32.exe PID 864 wrote to memory of 592 864 cmd.exe rundll32.exe PID 592 wrote to memory of 1380 592 rundll32.exe AcroRd32.exe PID 592 wrote to memory of 1380 592 rundll32.exe AcroRd32.exe PID 592 wrote to memory of 1380 592 rundll32.exe AcroRd32.exe PID 592 wrote to memory of 1380 592 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm51⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm52⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\UnHAnaAW.arm5"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx