Analysis
-
max time kernel
163s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
31-05-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin
Resource
win10v2004-20220414-en
General
-
Target
2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin
-
Size
206KB
-
MD5
d9878ceba3d6734cbb5143a3393a9a07
-
SHA1
4c380b7eecfe5c24671229f15d7cc98e656792b4
-
SHA256
2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98
-
SHA512
f8268ca82f84a9e45a7983ff942e4d8dec84d2853ae2337f1bb787fe15d4864f05843d0223fb41470fe41e2fc75c95691d21d37dcde2043df5961c3df1970f79
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\.bin rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 588 AcroRd32.exe 588 AcroRd32.exe 588 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1964 wrote to memory of 960 1964 cmd.exe rundll32.exe PID 1964 wrote to memory of 960 1964 cmd.exe rundll32.exe PID 1964 wrote to memory of 960 1964 cmd.exe rundll32.exe PID 960 wrote to memory of 588 960 rundll32.exe AcroRd32.exe PID 960 wrote to memory of 588 960 rundll32.exe AcroRd32.exe PID 960 wrote to memory of 588 960 rundll32.exe AcroRd32.exe PID 960 wrote to memory of 588 960 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2cf96acaf71dfc56df74287d20714e4ff899eef7bf1caffd42180e8cc733ab98.bin"3⤵
- Suspicious use of SetWindowsHookEx