Overview
overview
10Static
static
RRFB17.vhd
windows7-x64
3RRFB17.vhd
windows10-2004-x64
3out.vhd
windows7-x64
1out.vhd
windows10-2004-x64
1RR.lnk
windows7-x64
10RR.lnk
windows10-2004-x64
10System Vol...gs.dat
windows7-x64
3System Vol...gs.dat
windows10-2004-x64
3unmarketable/awed.gif
windows7-x64
1unmarketable/awed.gif
windows10-2004-x64
1unmarketab...ne.dll
windows7-x64
10unmarketab...ne.dll
windows10-2004-x64
10unmarketab...ng.gif
windows7-x64
1unmarketab...ng.gif
windows10-2004-x64
1unmarketab...ng.txt
windows7-x64
1unmarketab...ng.txt
windows10-2004-x64
1unmarketab...us.cmd
windows7-x64
1unmarketab...us.cmd
windows10-2004-x64
1unmarketab...le.cmd
windows7-x64
1unmarketab...le.cmd
windows10-2004-x64
1unmarketab...le.jpg
windows7-x64
3unmarketab...le.jpg
windows10-2004-x64
3unmarketab...ng.png
windows7-x64
3unmarketab...ng.png
windows10-2004-x64
3Analysis
-
max time kernel
88s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
14-12-2022 23:03
Static task
static1
Behavioral task
behavioral1
Sample
RRFB17.vhd
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RRFB17.vhd
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
out.vhd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
out.vhd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
RR.lnk
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
RR.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
System Volume Information/WPSettings.dat
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
System Volume Information/WPSettings.dat
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
unmarketable/awed.gif
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
unmarketable/awed.gif
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
unmarketable/condone.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
unmarketable/condone.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
unmarketable/dislodging.gif
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
unmarketable/dislodging.gif
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
unmarketable/embedding.txt
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
unmarketable/embedding.txt
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
unmarketable/multifarious.cmd
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
unmarketable/multifarious.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
unmarketable/placeable.cmd
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
unmarketable/placeable.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
unmarketable/profitable.jpg
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
unmarketable/profitable.jpg
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
unmarketable/strewing.png
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
unmarketable/strewing.png
Resource
win10v2004-20220812-en
General
-
Target
RRFB17.vhd
-
Size
2.0MB
-
MD5
9550997039bcbbbfb97efcb802b53a93
-
SHA1
9db73320291c262c35c944011dd6c9b1ee9a4c0b
-
SHA256
3041536c2a8e1a90ee11ba958e9ee764404a801fda04af11d256475064f752a6
-
SHA512
277fc3df93591324dd6796d586f6d9a74376f68ae9369982b6777e2efe7dad5b7e066600b9243dae9ef89ac2f0a31ccf21e8d0d7f9a854e99f0d3dbc43fcc3fe
-
SSDEEP
24576:ldBrbfL6VHOe+lhMjcxy9tnYu8UQw8Md:ldBXT6FOe+l+j4Yx8UQw8M
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 752 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1744 wrote to memory of 752 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 752 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 752 1744 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RRFB17.vhd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RRFB17.vhd2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam