Overview
overview
10Static
static
0.9.4/scri...de.pyc
windows7-x64
30.9.4/scri...de.pyc
windows10-2004-x64
30.9.4/scri...ax.pyc
windows7-x64
30.9.4/scri...ax.pyc
windows10-2004-x64
30.9.4/scri...__.pyc
windows7-x64
30.9.4/scri...__.pyc
windows10-2004-x64
30.9.4/scri...ne.pyc
windows7-x64
30.9.4/scri...ne.pyc
windows10-2004-x64
30.9.4/scri...ot.pyc
windows7-x64
30.9.4/scri...ot.pyc
windows10-2004-x64
3StartVanga.exe
windows7-x64
10StartVanga.exe
windows10-2004-x64
10Analysis
-
max time kernel
235s -
max time network
338s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
0.9.4/scripts/client/CameraNode.pyc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0.9.4/scripts/client/CameraNode.pyc
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
0.9.4/scripts/client/mods/Zaraza_LsdMax.pyc
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
0.9.4/scripts/client/mods/Zaraza_LsdMax.pyc
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
0.9.4/scripts/client/mods/__init__.pyc
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
0.9.4/scripts/client/mods/__init__.pyc
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
0.9.4/scripts/client/mods/lsdmax/lsdmaxEngine.pyc
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
0.9.4/scripts/client/mods/lsdmax/lsdmaxEngine.pyc
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
0.9.4/scripts/client/mods/lsdmax/mods/lsdmax_Aimbot.pyc
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
0.9.4/scripts/client/mods/lsdmax/mods/lsdmax_Aimbot.pyc
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
StartVanga.exe
Resource
win7-20220812-en
General
-
Target
0.9.4/scripts/client/mods/lsdmax/lsdmaxEngine.pyc
-
Size
20KB
-
MD5
5e980c6f1e78cee396a3a0536c9000a9
-
SHA1
548f5943b8b7ea67c4b6563bdc4190e4bdd94557
-
SHA256
f9d91637ac93c1e10c5b7a7278c6512e51d8876ccf44a9bf603a127d3c089298
-
SHA512
c5a16dbabb6b78acb92b999b1f1c59bd2d5c82d08849f616bc02dd0bed3846d4ae96c1ae34ce44db74981b72cef7b16a29d3b6a04bc1387c7fe264a83d897e72
-
SSDEEP
384:TEZk1NvJorGM1YoA2gkwjyXI80lM86NG47S5CSxzdGNEq2I:TO5rG1ouVjyXIZS8mG470xIEPI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1716 AcroRd32.exe 1716 AcroRd32.exe 1716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 560 wrote to memory of 1788 560 cmd.exe rundll32.exe PID 560 wrote to memory of 1788 560 cmd.exe rundll32.exe PID 560 wrote to memory of 1788 560 cmd.exe rundll32.exe PID 1788 wrote to memory of 1716 1788 rundll32.exe AcroRd32.exe PID 1788 wrote to memory of 1716 1788 rundll32.exe AcroRd32.exe PID 1788 wrote to memory of 1716 1788 rundll32.exe AcroRd32.exe PID 1788 wrote to memory of 1716 1788 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0.9.4\scripts\client\mods\lsdmax\lsdmaxEngine.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\0.9.4\scripts\client\mods\lsdmax\lsdmaxEngine.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0.9.4\scripts\client\mods\lsdmax\lsdmaxEngine.pyc"3⤵
- Suspicious use of SetWindowsHookEx