Analysis
-
max time kernel
127s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-03-2022 13:15
Behavioral task
behavioral1
Sample
5da245cd-402b-496b-f14b-08da0b7bcad8_ce1e4340-6ce5-a62d-629a-c5377bca0749.eml
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
5da245cd-402b-496b-f14b-08da0b7bcad8_ce1e4340-6ce5-a62d-629a-c5377bca0749.eml
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
LI042817_980021414_1.pdf
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
LI042817_980021414_1.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
email-html-1.html
Resource
win7-20220310-en
Behavioral task
behavioral6
Sample
email-html-1.html
Resource
win10v2004-en-20220113
General
-
Target
5da245cd-402b-496b-f14b-08da0b7bcad8_ce1e4340-6ce5-a62d-629a-c5377bca0749.eml
-
Size
121KB
-
MD5
dad53ef24de72c315a6171db6587070d
-
SHA1
2c4be8c1a2e1ad69a3a068635abc181804e79dbe
-
SHA256
81496a45e9218e03416b562deac81f493210ae30ebf58deaffbc2bcbe814661d
-
SHA512
6d85a9a47472b2acf6ab93f606d5ffeadf26320c4a45e4f07826b46b8ffbd7bccebfa8237079031977bed8cf79de0810785536879dcaa4c32927e635bf47b1d1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\5da245cd-402b-496b-f14b-08da0b7bcad8_ce1e4340-6ce5-a62d-629a-c5377bca0749.eml:OECustomProperty cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4784 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\5da245cd-402b-496b-f14b-08da0b7bcad8_ce1e4340-6ce5-a62d-629a-c5377bca0749.eml1⤵
- Modifies registry class
- NTFS ADS
PID:4228
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4784