Analysis
-
max time kernel
56s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-04-2022 07:23
Behavioral task
behavioral1
Sample
PDF - SansAmi (docus français ).rar
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PDF - SansAmi (docus français ).rar
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
PDF - SansAmi (docus français ).rar
-
Size
95.9MB
-
MD5
7ae2c12dd9e1c0978b46269dfc8420c0
-
SHA1
44b31dbb921022ca38e174ec6a7da8664a3e654e
-
SHA256
c05f8e1cc08e6fa7a21a5042d063d6e2d7569129db332491312b01b12aca037c
-
SHA512
9c447fdfba0be77ec57f06f27c389b096b1e4d9994a2d2fc9ea7ea9b10e02c2e36fc9ce11abb6025217e477b715d08156bfdecb0d49f283aa6a0411f90edebe9
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1016 wrote to memory of 952 1016 cmd.exe rundll32.exe PID 1016 wrote to memory of 952 1016 cmd.exe rundll32.exe PID 1016 wrote to memory of 952 1016 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\PDF - SansAmi (docus français ).rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PDF - SansAmi (docus français ).rar2⤵
- Modifies registry class