fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d

Analysis

max time kernel
151s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System Volume Information/WPSettings.dat
Size

12B
MD5

bf8c557e1c3c28ed3bc3213920576ff1
SHA1

863e227e338d6b8e056f3286b4d66f3bbf4e1ac1
SHA256

410696eb28b1d2150b093aa2a392ce82c31afd887fd324600c4a9fe54d42a34f
SHA512

e80edc340a2f720eb24b94488362f3f2511c1fd02f3b5e280305e2a2be0b5c923f05f442951f6558d8b5a83eadd913a78c99d12334aa530d3e48db1207624f74

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

564 AcroRd32.exe
564 AcroRd32.exe
564 AcroRd32.exe

pid	process
564	AcroRd32.exe
564	AcroRd32.exe
564	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2012 wrote to memory of 588	2012	cmd.exe	rundll32.exe
PID 2012 wrote to memory of 588	2012	cmd.exe	rundll32.exe
PID 2012 wrote to memory of 588	2012	cmd.exe	rundll32.exe
PID 588 wrote to memory of 564	588	rundll32.exe	AcroRd32.exe
PID 588 wrote to memory of 564	588	rundll32.exe	AcroRd32.exe
PID 588 wrote to memory of 564	588	rundll32.exe	AcroRd32.exe
PID 588 wrote to memory of 564	588	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"
3⤵
- Suspicious use of SetWindowsHookEx
PID:564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads