Analysis
-
max time kernel
36s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Confirmation.scr
Resource
win7-20220414-en
General
-
Target
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
-
Size
563KB
-
MD5
929ddd432949a0809329d50896cbd7cc
-
SHA1
01f6eb2d1a897dbc346cbb713df2dbb85918bf28
-
SHA256
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5
-
SHA512
5e144052f47b123457d346f35af3227546dd9e619f951762ec8184c6edafb2a63e02002be3bcb225a5f72131bbc43909d556b8caa5224e3d9c659d27738d665e
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1744 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1744 vlc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
vlc.exepid process 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
vlc.exepid process 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe 1744 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 1744 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1064 wrote to memory of 1980 1064 cmd.exe rundll32.exe PID 1064 wrote to memory of 1980 1064 cmd.exe rundll32.exe PID 1064 wrote to memory of 1980 1064 cmd.exe rundll32.exe PID 1980 wrote to memory of 1744 1980 rundll32.exe vlc.exe PID 1980 wrote to memory of 1744 1980 rundll32.exe vlc.exe PID 1980 wrote to memory of 1744 1980 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx