Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 18:52
Behavioral task
behavioral1
Sample
ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Setup/Setup.exe
Resource
win7-20220718-en
General
-
Target
ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar
-
Size
7.8MB
-
MD5
6556997cc9dc59bd4c31211bb2ae70f3
-
SHA1
377f116ced2a0156e800c1e09b6e96721efb0c09
-
SHA256
ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256
-
SHA512
763cf97e6e326596ee17a999c89a7684e7235a5cfb7ab342b286bfe86cb7cc9dcf0a930dcc3f6f1d7af1bd30fd1a2c0120c11b15fd9bdecc09f93b126664483b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1000 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1000 vlc.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe 1000 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 1000 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 1252 1988 cmd.exe rundll32.exe PID 1988 wrote to memory of 1252 1988 cmd.exe rundll32.exe PID 1988 wrote to memory of 1252 1988 cmd.exe rundll32.exe PID 1252 wrote to memory of 1000 1252 rundll32.exe vlc.exe PID 1252 wrote to memory of 1000 1252 rundll32.exe vlc.exe PID 1252 wrote to memory of 1000 1252 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\ddbec48cb5402919199d97220cf6646f7c270f91dbeb7e179d54a439d4555256.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx