ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
27-07-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f.rar
Size

7.2MB
MD5

172a7890019407d97763bf98a16c784b
SHA1

95a0d75e65bbe26a1a7f16c48ec8c2c62e499877
SHA256

ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f
SHA512

1d8e941cdb844c55a5954af443f15e9579544ade1b961f6a57550ad13b8c21fdeae20064e4a8adb89f921a598a000f2e108fc5f83c8a21e889d4c2a914b34263

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1248 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1248 vlc.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

vlc.exe

pid process

1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
1248 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1248 vlc.exe

pid	process
1248	vlc.exe

pid	process
1248	vlc.exe

pid	process
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe

pid	process
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe
1248	vlc.exe

pid	process
1248	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 908 wrote to memory of 2000	908	cmd.exe	rundll32.exe
PID 908 wrote to memory of 2000	908	cmd.exe	rundll32.exe
PID 908 wrote to memory of 2000	908	cmd.exe	rundll32.exe
PID 2000 wrote to memory of 1248	2000	rundll32.exe	vlc.exe
PID 2000 wrote to memory of 1248	2000	rundll32.exe	vlc.exe
PID 2000 wrote to memory of 1248	2000	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f.rar
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\ae43160d7dad131c3bacdf5ff482a428523de85a35e874d1906fd7f9c68ed97f.rar"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-54-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1248-81-0x0000000000000000-mapping.dmp

Download
memory/2000-76-0x0000000000000000-mapping.dmp

Download