Overview
overview
10Static
static
Adobe_Phot...on.zip
windows7-x64
10Adobe_Phot...on.zip
windows10-2004-x64
1Adobe_Phot...on.exe
windows7-x64
10Adobe_Phot...on.exe
windows10-2004-x64
10FILE_ID.diz
windows7-x64
3FILE_ID.diz
windows10-2004-x64
3Password.HERE.jpg
windows7-x64
3Password.HERE.jpg
windows10-2004-x64
3Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 20:03
Static task
static1
Behavioral task
behavioral1
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
FILE_ID.diz
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
FILE_ID.diz
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Password.HERE.jpg
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Password.HERE.jpg
Resource
win10v2004-20220812-en
General
-
Target
FILE_ID.diz
-
Size
60B
-
MD5
54a89f6237f4bc3257ce50820b703d6c
-
SHA1
8efc3c48171d9f7ca790fcaa9f9dcfd399b0331d
-
SHA256
21b9eef3ed3d6be523cf01c4e2c6e6ad03159183092a880ce5315f7378b5e3ed
-
SHA512
b7d32bb3ac19a83f578c3b46028565290cff304e37398836fb77f95f6f4b154790db4b0cd197cfd1835a110b47f740600d38e30fc8fefc94bb97da5ef4212e53
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 13 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.diz rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.diz\ = "diz_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\diz_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 744 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1380 wrote to memory of 1140 1380 cmd.exe rundll32.exe PID 1380 wrote to memory of 1140 1380 cmd.exe rundll32.exe PID 1380 wrote to memory of 1140 1380 cmd.exe rundll32.exe PID 1140 wrote to memory of 744 1140 rundll32.exe NOTEPAD.EXE PID 1140 wrote to memory of 744 1140 rundll32.exe NOTEPAD.EXE PID 1140 wrote to memory of 744 1140 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FILE_ID.diz1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FILE_ID.diz2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\FILE_ID.diz3⤵
- Opens file in notepad (likely ransom note)