337718a0dfbbc9937e51b4cd3696e27e4b25f236b57b7b2e06927ccf620abc9c

Analysis

max time kernel
249s
max time network
261s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
Size

18.3MB
MD5

cacf1fee8b098ba6ea24596c59a2568d
SHA1

58c3bddb769d655ea62e5628f52e1e9455677ff5
SHA256

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9
SHA512

971791afd3e9a5973791c593fa0275e1252df45b547b774f572354607c1ef1ab158a54a3191aae34819febd0620598739840c29363923ccde4bf64e24f39855f
SSDEEP

393216:Ewxw+nffqY5z4ZfsP1PUnjOsxvYhPiPlXwalMdxQLgJx4cct1Fa:VxR/P1gO4vaClmdxQLgo31M

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PG2Ray.exe

pid process

2876 PG2Ray.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2876	PG2Ray.exe

Modifies registry class 2 IoCs

Processes:

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5008 NOTEPAD.EXE

pid	process
5008	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

pid	process
5108	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
5108	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
3704	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
3704	8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe

C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
"C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:5008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe
"C:\Users\Admin\AppData\Local\Temp\8143b0cb84672f7f1885dbc0d7e7884cd3a5a2a8b7a2fc0d3a684780312d8eb9.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe
"C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe"
1⤵
- Executes dropped EXE
PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe

Filesize
1.8MB

MD5
9d50ce7b01d0e0ff0f77114e3bb61c94

SHA1
ee40f132c21a6c8df4f3ffd9a03470074ba8a305

SHA256
02376cbfda9977acf0ca740b0abd74d558b0fb100608cbdb98224ff928d09e6c

SHA512
74cc62da240b9158aa3be35a4b855b2e582c19a8b2e39a76ddd408465c0196c7132e9406094343e7b10317f4de6c4102ca2a253446e7dd69366430e83005afaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PG2Ray102\PG2Ray.exe

Filesize
1.8MB

MD5
9d50ce7b01d0e0ff0f77114e3bb61c94

SHA1
ee40f132c21a6c8df4f3ffd9a03470074ba8a305

SHA256
02376cbfda9977acf0ca740b0abd74d558b0fb100608cbdb98224ff928d09e6c

SHA512
74cc62da240b9158aa3be35a4b855b2e582c19a8b2e39a76ddd408465c0196c7132e9406094343e7b10317f4de6c4102ca2a253446e7dd69366430e83005afaf

Download Submit
memory/2876-134-0x0000025F4ECD0000-0x0000025F4EE9E000-memory.dmp

Filesize
1.8MB

Download
memory/2876-135-0x00007FFB5A430000-0x00007FFB5AEF1000-memory.dmp

Filesize
10.8MB

Download
memory/2876-136-0x00007FFB5A430000-0x00007FFB5AEF1000-memory.dmp

Filesize
10.8MB

Download