Overview

overview

10

Static

static

Desktop.rar

windows7-x64

3

Desktop.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2022, 13:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Desktop.rar

  • Size

    1KB

  • MD5

    3085f3f29c18f0a8e1eba9a51488fc2f

  • SHA1

    c72aeafe0bce67bd984451c342858d498c09825e

  • SHA256

    5edc6eee6e2369444b1107a20f48c56e5236bb630b1c064b30e5a6e45b55bad8

  • SHA512

    de6d23d8fec4e7c8d6a86d54e4844c66162869b02876917b876e7219c77926dfe1e1482c94ece34c3faa1cffb58f6555bbb4cfe48de30f5082534edd1fd65be8

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\ReadMe.LOCKEDFILECR.txt

Ransom Note
ATTENTION!!! All your files are encrypted by reliable encryption algorithms There is no other way to recover your files without our help All encrypted files have .LOCKEDFILECR extension You can return all your files back only if contact us within 72 hours There is no other way to get your files back Also all your bussiness related data has been updloaded to our server. We will publish all your data and spread it to all your bussiness contacts, competitors and social media. You have only 72 hour to stop it. How to contact us: 1) Install TOR browser from: https://torproject.org/ 2) Contact us by this link: http://i6zulsy4dscbshpmb7nyftunojse37fw6x3m4w3ccv5uucjiwkawctad.onion/54df3baef130c81e6ae8432a2567320a/
URLs

http://i6zulsy4dscbshpmb7nyftunojse37fw6x3m4w3ccv5uucjiwkawctad.onion/54df3baef130c81e6ae8432a2567320a/

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Desktop.rar
    1⤵
    • Modifies registry class
    PID:4996
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Desktop.rar"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3608
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3856
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap11357:94:7zEvent25752
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3748
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4772

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads