Analysis
-
max time kernel
377s -
max time network
866s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01-01-2023 01:41
Static task
static1
Behavioral task
behavioral1
Sample
SFD Setup Alpha v.1.3.4c.rar
Resource
win10-20220812-en
windows10-1703-x64
8 signatures
1200 seconds
Behavioral task
behavioral2
Sample
SFD Setup Alpha v.1.3.4c.exe
Resource
win10-20220901-en
windows10-1703-x64
17 signatures
1200 seconds
General
-
Target
SFD Setup Alpha v.1.3.4c.rar
-
Size
32.2MB
-
MD5
a78056af10e1c28874848dd3da36c53f
-
SHA1
366ee0889728a32c47e743679e8b6b10bec6a6cf
-
SHA256
c86c7f3faa4a5d63872a3c48bac2f8f380a45b4c35ba7066c1a247bbc0daa149
-
SHA512
95ec28756803d459870f2c5a660a628381817cf7ac7f2ea3f3c44e9b1885876a277359d58c3073854c82aeca4c50bb9a885d1eb3ee8cc22cafc189c613a68fe8
-
SSDEEP
786432:FatvWrLITK0ihqMg4CJ0yOWbNddgnP+WO1oA7w:8tvxW0iINJ0TmInP+WxJ
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4824 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3940 OpenWith.exe 4824 vlc.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe 4824 vlc.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe 3940 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4824 3940 OpenWith.exe 69 PID 3940 wrote to memory of 4824 3940 OpenWith.exe 69
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SFD Setup Alpha v.1.3.4c.rar"1⤵
- Modifies registry class
PID:2704
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\SFD Setup Alpha v.1.3.4c.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4276