Overview
overview
8Static
static
8Pitch Black/Game.exe
windows7-x64
6Pitch Black/Game.exe
windows10-2004-x64
1Pitch Blac...rgss3a
windows7-x64
3Pitch Blac...rgss3a
windows10-2004-x64
3Pitch Black/Setup.exe
windows7-x64
1Pitch Black/Setup.exe
windows10-2004-x64
7Pitch Blac...00.dll
windows7-x64
6Pitch Blac...00.dll
windows10-2004-x64
3Pitch Blac...01.dll
windows7-x64
6Pitch Blac...01.dll
windows10-2004-x64
3Pitch Blac....mplus
windows7-x64
3Pitch Blac....mplus
windows10-2004-x64
3Pitch Blac....mplus
windows7-x64
3Pitch Blac....mplus
windows10-2004-x64
3Pitch Blac....mplus
windows7-x64
3Pitch Blac....mplus
windows10-2004-x64
3Pitch Blac....mplus
windows7-x64
3Pitch Blac....mplus
windows10-2004-x64
3Analysis
-
max time kernel
190s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 11:32
Behavioral task
behavioral1
Sample
Pitch Black/Game.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Pitch Black/Game.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Pitch Black/Game.rgss3a
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Pitch Black/Game.rgss3a
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
Pitch Black/Setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
Pitch Black/Setup.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
Pitch Black/System/RGSS300.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Pitch Black/System/RGSS300.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
Pitch Black/System/RGSS301.dll
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
Pitch Black/System/RGSS301.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
Pitch Black/fonts/VLGothic/LICENSE_E.mplus
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
Pitch Black/fonts/VLGothic/LICENSE_E.mplus
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
Pitch Black/fonts/VLGothic/LICENSE_J.mplus
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
Pitch Black/fonts/VLGothic/LICENSE_J.mplus
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
Pitch Black/fonts/VLGothic/README_E.mplus
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
Pitch Black/fonts/VLGothic/README_E.mplus
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
Pitch Black/fonts/VLGothic/README_J.mplus
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
Pitch Black/fonts/VLGothic/README_J.mplus
Resource
win10v2004-20220812-en
General
-
Target
Pitch Black/Game.rgss3a
-
Size
91.6MB
-
MD5
c58f67f79881e3f790b38e90e2e8f1fa
-
SHA1
c12cc5fc83bdbaf53dd4f402ce3917e66a43b1ee
-
SHA256
c28c046211076958fab1f81f5bfc7724377ecc4bb1afcda4f6b1f4751148be31
-
SHA512
0647f88686ffa33e0fa493c6b9512a3204758f811767a1c3c6674a60d55b0a7aa288283d96a2a5352c01d0bec438305addef782bad132d4f7510ce2486327a5a
-
SSDEEP
1572864:sVUOMo7XDaPiqviFbwCtG3f+UjdvuIyBqAVtMIUQ4B3ojTVR+8uexmhYSsbIL:gnvnFvs3fjm3BqAtZNWojJR+8uexmubw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.rgss3a\ = "rgss3a_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.rgss3a rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1712 AcroRd32.exe 1712 AcroRd32.exe 1712 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 568 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 568 2040 cmd.exe rundll32.exe PID 2040 wrote to memory of 568 2040 cmd.exe rundll32.exe PID 568 wrote to memory of 1712 568 rundll32.exe AcroRd32.exe PID 568 wrote to memory of 1712 568 rundll32.exe AcroRd32.exe PID 568 wrote to memory of 1712 568 rundll32.exe AcroRd32.exe PID 568 wrote to memory of 1712 568 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a"3⤵
- Suspicious use of SetWindowsHookEx