Overview
overview
10Static
static
1RR.lnk
windows7-x64
3RR.lnk
windows10-2004-x64
10vibrations...ss.exe
windows7-x64
vibrations...ss.exe
windows10-2004-x64
1vibrations/croaks.sql
windows7-x64
3vibrations/croaks.sql
windows10-2004-x64
3vibrations...id.cmd
windows7-x64
1vibrations...id.cmd
windows10-2004-x64
1Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2023, 19:41
Static task
static1
Behavioral task
behavioral1
Sample
RR.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RR.lnk
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
vibrations/airtightness.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vibrations/airtightness.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vibrations/croaks.sql
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vibrations/croaks.sql
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
vibrations/polaroid.cmd
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
vibrations/polaroid.cmd
Resource
win10v2004-20230220-en
General
-
Target
vibrations/croaks.sql
-
Size
1.6MB
-
MD5
93c08848c8acedbf3e93692b445fd90c
-
SHA1
31a40a24e3e54bd35f8eb1c5859a42e4d38b1712
-
SHA256
6054916e5dc80c3f068e13b10b2e5e1a314f2207a85ead9ac979ab75ae4501d8
-
SHA512
341b0affd4a8b516c18b4f995b888fe17072ddc928b7d9ad4ab342e758cd60d144b0b2e95d01c56e73c86ea3212a63abdb212cbc4c4d07504dcc8a4737037ab4
-
SSDEEP
12288:hgD7oi4JVR7GiHZJUMY4qSl9rBQpVvFBuLBmIiPy0Kko1KTVFufFKHcqgEQX0ekU:c7o9PrBeVXoY76Nj37J
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.sql rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.sql\ = "sql_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\sql_auto_file\shell rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1856 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1092 2020 cmd.exe 29 PID 2020 wrote to memory of 1092 2020 cmd.exe 29 PID 2020 wrote to memory of 1092 2020 cmd.exe 29 PID 1092 wrote to memory of 1856 1092 rundll32.exe 30 PID 1092 wrote to memory of 1856 1092 rundll32.exe 30 PID 1092 wrote to memory of 1856 1092 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\vibrations\croaks.sql1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\vibrations\croaks.sql2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\vibrations\croaks.sql3⤵
- Opens file in notepad (likely ransom note)
PID:1856
-
-