6c6dcd6adf2d44c395498cd58c5eceb7bb720b810c12746c01130012fd14a3cb | Triage

Resubmissions

01/02/2023, 14:53 UTC

230201-r9lk2aca9t 1

01/02/2023, 14:21 UTC

230201-rpf5tabh7x 1

Analysis

max time kernel
131s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 14:53 UTC

Sharing

Report Analysis Logs

General

Target

autorun.inf
Size

92KB
MD5

2c29248d7b2ee96a8f3d516dae36c310
SHA1

0e73e5f50253e821fd87bb845aea0983ccfae404
SHA256

7611738317dabe43daeeb0b45698c0e37ecfd546d29761a63e57dd779984589b
SHA512

1229db37d8366ea9f4c8636e874113f2f07cff5eb2b495c4ade8d1c5004d47b9374cabe20acb02919271580cb9b9458c90621c0123554e2683b40ef6fdedcde9
SSDEEP

1536:uvE5/VJ8m0HJnppEnANcFqAsVH8cObGyHSTG0ugUfOgsZ3Z4:ksh6pl/H8nbGyHST+gUfOfC

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1320	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE
Token: 33	860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	860	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1320	NOTEPAD.EXE
1320	NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\autorun.inf
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download