b385ce3e5717c49e2f61516c9f9e68449e111a557979a1f1ac28798d5fba9dc5

Resubmissions

03-10-2022 12:20

221003-phxswafbe5 8

03-10-2022 11:32

221003-nnhqgadhgk 8

Analysis

max time kernel
190s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pitch Black/Game.rgss3a
Size

91.6MB
MD5

c58f67f79881e3f790b38e90e2e8f1fa
SHA1

c12cc5fc83bdbaf53dd4f402ce3917e66a43b1ee
SHA256

c28c046211076958fab1f81f5bfc7724377ecc4bb1afcda4f6b1f4751148be31
SHA512

0647f88686ffa33e0fa493c6b9512a3204758f811767a1c3c6674a60d55b0a7aa288283d96a2a5352c01d0bec438305addef782bad132d4f7510ce2486327a5a
SSDEEP

1572864:sVUOMo7XDaPiqviFbwCtG3f+UjdvuIyBqAVtMIUQ4B3ojTVR+8uexmhYSsbIL:gnvnFvs3fjm3BqAtZNWojJR+8uexmubw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.rgss3a\ = "rgss3a_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.rgss3a	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\rgss3a_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1712 AcroRd32.exe
1712 AcroRd32.exe
1712 AcroRd32.exe

pid	process
1712	AcroRd32.exe
1712	AcroRd32.exe
1712	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 568	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 568	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 568	2040	cmd.exe	rundll32.exe
PID 568 wrote to memory of 1712	568	rundll32.exe	AcroRd32.exe
PID 568 wrote to memory of 1712	568	rundll32.exe	AcroRd32.exe
PID 568 wrote to memory of 1712	568	rundll32.exe	AcroRd32.exe
PID 568 wrote to memory of 1712	568	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.rgss3a"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-76-0x0000000000000000-mapping.dmp

Download
memory/1712-81-0x0000000000000000-mapping.dmp

Download
memory/1712-82-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download