bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633

Analysis

max time kernel
63s
max time network
65s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:46

Target

bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633.rar
Size

278KB
MD5

3508b1e88a97f68a7d019e2d65ed5f9d
SHA1

248f12031f59462baac1632596d0e1fece16e577
SHA256

bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633
SHA512

0fa37d24b2244a604b2e416750abd8c1071d7e663fc48b3fccd97dea575ec8993edc6f48357664e131ce046b2c974337e4a15241aa0563a401560bea7c0ac47d
SSDEEP

6144:ati5NzJU2JZlZDyfXrCbrZMPM+N3VnM9PgN6NlE/qO:CKNz3b1YrCPZMPM+Je9YK+/qO

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

784 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

784 vlc.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

vlc.exe

pid process

784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
784 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

784 vlc.exe

pid	process
784	vlc.exe

pid	process
784	vlc.exe

pid	process
784	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 968 wrote to memory of 892	968	cmd.exe	rundll32.exe
PID 968 wrote to memory of 892	968	cmd.exe	rundll32.exe
PID 968 wrote to memory of 892	968	cmd.exe	rundll32.exe
PID 892 wrote to memory of 784	892	rundll32.exe	vlc.exe
PID 892 wrote to memory of 784	892	rundll32.exe	vlc.exe
PID 892 wrote to memory of 784	892	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\bbc1e019335b4260db85249d6d537bbecd4e3053fca3c4a8a9daf69a86c31633.rar"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:784

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/784-81-0x0000000000000000-mapping.dmp

Download
memory/892-76-0x0000000000000000-mapping.dmp

Download
memory/968-54-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download