Analysis
-
max time kernel
110s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
fwdPacking List (8.76 KB).msg
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
Packing List.chm
Resource
win10v2004-20220812-en
General
-
Target
fwdPacking List (8.76 KB).msg
-
Size
25KB
-
MD5
22cac913784ba7331e7aa96ce23fc7ed
-
SHA1
470cb89eaf735348d3ddc0ec1dd25d51a390e653
-
SHA256
c3dabf7c8397559c952aa488cf7f6ad57ba614e0e17923ac061a5cadcc94c6ef
-
SHA512
f4055bbd44abda4a9eb20a95ee372e981f8963bf78e7d5ba04542fc6e6629a95f6d9cdd6315cd9b27c508ff3c94c762d5faa4f687b150b888d9a189210755ca0
-
SSDEEP
384:4sSDaf9+XzLT4qgFxJb3ujB5GbEpw144fLnxdjU1o78/8sA:4sSDaf9+XvT4qgFfb+rGyw14k/8o7O
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1628 OpenWith.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
Processes:
OpenWith.exepid process 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe 1628 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1628 wrote to memory of 1672 1628 OpenWith.exe NOTEPAD.EXE PID 1628 wrote to memory of 1672 1628 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fwdPacking List (8.76 KB).msg"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\fwdPacking List (8.76 KB).msg2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1672-132-0x0000000000000000-mapping.dmp