Analysis
-
max time kernel
253s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2023 19:52
Static task
static1
Behavioral task
behavioral1
Sample
ljc.sh
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
ljc.sh
Resource
macos-20220504-en
macos-10.15-amd64
1 signatures
300 seconds
Behavioral task
behavioral3
Sample
ljc.sh
Resource
ubuntu1804-amd64-20221111-en
ubuntu-18.04-amd64
3 signatures
300 seconds
General
-
Target
ljc.sh
-
Size
1KB
-
MD5
238af6fec3323e31fd809fda87165fc7
-
SHA1
8a694450e42ca8cd294715229799c411fbf2ecd8
-
SHA256
d03288877f3732a5cc88416b38cc59d3e12ee1367d0ae514f148a49658a0c232
-
SHA512
5760fceec83cf3b18f3fbd3df3b5fb6ec484143355fcef7ea3f2ad17b6da6dc77bab4686100775cba07542ea3527ed1ae1f4850e264a703736a653c062c2ef4a
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4680 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2880 OpenWith.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
Processes:
OpenWith.exepid process 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe 2880 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 2880 wrote to memory of 4680 2880 OpenWith.exe NOTEPAD.EXE PID 2880 wrote to memory of 4680 2880 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ljc.sh1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ljc.sh2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4680-132-0x0000000000000000-mapping.dmp