337718a0dfbbc9937e51b4cd3696e27e4b25f236b57b7b2e06927ccf620abc9c

Analysis

max time kernel
249s
max time network
261s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
Size

18.3MB
MD5

cacf1fee8b098ba6ea24596c59a2568d
SHA1

58c3bddb769d655ea62e5628f52e1e9455677ff5
SHA256

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9
SHA512

971791afd3e9a5973791c593fa0275e1252df45b547b774f572354607c1ef1ab158a54a3191aae34819febd0620598739840c29363923ccde4bf64e24f39855f
SSDEEP

393216:Ewxw+nffqY5z4ZfsP1PUnjOsxvYhPiPlXwalMdxQLgJx4cct1Fa:VxR/P1gO4vaClmdxQLgo31M

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PG2Ray.exe

pid process

2876 PG2Ray.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2876	PG2Ray.exe

Modifies registry class 2 IoCs

Processes:

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5008 NOTEPAD.EXE

pid	process
5008	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

pid	process
5108	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
5108	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
3704	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
3704	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
"C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:5008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
"C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe
"C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe"
1⤵
- Executes dropped EXE
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe
Filesize
1.8MB

MD5
9d50ce7b01d0e0ff0f77114e3bb61c94

SHA1
ee40f132c21a6c8df4f3ffd9a03470074ba8a305

SHA256
02376cbfda9977acf0ca740b0abd74d558b0fb100608cbdb98224ff928d09e6c

SHA512
74cc62da240b9158aa3be35a4b855b2e582c19a8b2e39a76ddd408465c0196c7132e9406094343e7b10317f4de6c4102ca2a253446e7dd69366430e83005afaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe
Filesize
1.8MB

MD5
9d50ce7b01d0e0ff0f77114e3bb61c94

SHA1
ee40f132c21a6c8df4f3ffd9a03470074ba8a305

SHA256
02376cbfda9977acf0ca740b0abd74d558b0fb100608cbdb98224ff928d09e6c

SHA512
74cc62da240b9158aa3be35a4b855b2e582c19a8b2e39a76ddd408465c0196c7132e9406094343e7b10317f4de6c4102ca2a253446e7dd69366430e83005afaf

Download Submit
memory/2876-134-0x0000025F4ECD0000-0x0000025F4EE9E000-memory.dmp

Filesize
1.8MB

Download
memory/2876-135-0x00007FFB5A430000-0x00007FFB5AEF1000-memory.dmp

Filesize
10.8MB

Download
memory/2876-136-0x00007FFB5A430000-0x00007FFB5AEF1000-memory.dmp

Filesize
10.8MB

Download