d7f7749bde88ba1280b2e560778bab0234d40ea1a6f63dce8622fc2cc7271a09

General

Target

Diablo.rar
Size

62.3MB
MD5

c898805fc52cc4cdcbab708ce689ddb4
SHA1

41781b91df67af1bc9b1eafd688ff3195cca2aa1
SHA256

d7f7749bde88ba1280b2e560778bab0234d40ea1a6f63dce8622fc2cc7271a09
SHA512

7e644b6b3ec7f59c41ca47ace70b233b94174331839bf8e32f8f81cfe79d0c6828681de761d4a8d2f4c510d63b51d26ec534ac8a7e90a81e061078bdc88b0fa7
SSDEEP

1572864:FBHP1Yqkw+B1lkVP+tqeozXwaxGfWCP1hadvKc71Yr9sj:FvtkblEP+tqZzXwkCP14KciBsj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1112 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1112 vlc.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

vlc.exe

pid	process
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

vlc.exe

pid	process
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe
1112	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1112 vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 276 wrote to memory of 520	276	cmd.exe	rundll32.exe
PID 276 wrote to memory of 520	276	cmd.exe	rundll32.exe
PID 276 wrote to memory of 520	276	cmd.exe	rundll32.exe
PID 520 wrote to memory of 1112	520	rundll32.exe	vlc.exe
PID 520 wrote to memory of 1112	520	rundll32.exe	vlc.exe
PID 520 wrote to memory of 1112	520	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Diablo.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Diablo.rar
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Diablo.rar"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
83B

MD5
9cd659d5a3e467ca44219f0cc7cac2df

SHA1
7a3c9ed487c5f627c72c4438923a2830aa3e455a

SHA256
976a472bc3338dafe5c171ff09ff6b3a2e1e6746ee0aeacdadc928a3d4b88d83

SHA512
11ce0318d43be68a5cdd7a1189ddca1f8a3bc5821f8f660fa48900364f83ef40ebc745c95dd6eba0ff83542c21645220ac54a9dbc46dfc2793b16f37cb34a6ae

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.1112
Filesize
93KB

MD5
7d5ef2dffb8d0f8c5dfde20525d9e9ec

SHA1
875f7115389c71f411249b9e619c6c3c76ad4972

SHA256
97f54303096bd3b0925de62fff499ebcaf6b152a7a49a805491b249fc2723b1e

SHA512
a37ad0ecb44b1d10293792bc9b6e79c9d507ccab608ba82576c7e27f6f167a0c122593a2dce5da79a5bb5d6deb5a80707873e69307e106a3632f925c7c0b8d39

Download Submit
memory/1112-102-0x000007FEFB0B0000-0x000007FEFB0C1000-memory.dmp

Filesize
68KB

Download
memory/1112-123-0x000000013F270000-0x000000013F368000-memory.dmp

Filesize
992KB

Download
memory/1112-90-0x000007FEFB4A0000-0x000007FEFB4B7000-memory.dmp

Filesize
92KB

Download
memory/1112-91-0x000007FEFB400000-0x000007FEFB411000-memory.dmp

Filesize
68KB

Download
memory/1112-92-0x000007FEFB3E0000-0x000007FEFB3F7000-memory.dmp

Filesize
92KB

Download
memory/1112-93-0x000007FEFB3C0000-0x000007FEFB3D1000-memory.dmp

Filesize
68KB

Download
memory/1112-104-0x000007FEFB070000-0x000007FEFB08B000-memory.dmp

Filesize
108KB

Download
memory/1112-95-0x000007FEFB340000-0x000007FEFB351000-memory.dmp

Filesize
68KB

Download
memory/1112-96-0x000007FEF64B0000-0x000007FEF66B0000-memory.dmp

Filesize
2.0MB

Download
memory/1112-97-0x000007FEF5400000-0x000007FEF64AB000-memory.dmp

Filesize
16.7MB

Download
memory/1112-98-0x000007FEFB300000-0x000007FEFB33F000-memory.dmp

Filesize
252KB

Download
memory/1112-99-0x000007FEFB2D0000-0x000007FEFB2F1000-memory.dmp

Filesize
132KB

Download
memory/1112-100-0x000007FEFB0F0000-0x000007FEFB108000-memory.dmp

Filesize
96KB

Download
memory/1112-101-0x000007FEFB0D0000-0x000007FEFB0E1000-memory.dmp

Filesize
68KB

Download
memory/1112-142-0x000007FEF3BD0000-0x000007FEF3CE2000-memory.dmp

Filesize
1.1MB

Download
memory/1112-89-0x000007FEFB900000-0x000007FEFB918000-memory.dmp

Filesize
96KB

Download
memory/1112-94-0x000007FEFB3A0000-0x000007FEFB3BD000-memory.dmp

Filesize
116KB

Download
memory/1112-105-0x000007FEFB050000-0x000007FEFB061000-memory.dmp

Filesize
68KB

Download
memory/1112-107-0x000007FEF6F00000-0x000007FEF6F30000-memory.dmp

Filesize
192KB

Download
memory/1112-106-0x000007FEFB030000-0x000007FEFB048000-memory.dmp

Filesize
96KB

Download
memory/1112-108-0x000007FEF6A10000-0x000007FEF6A77000-memory.dmp

Filesize
412KB

Download
memory/1112-109-0x000007FEF69A0000-0x000007FEF6A0F000-memory.dmp

Filesize
444KB

Download
memory/1112-110-0x000007FEF6EE0000-0x000007FEF6EF1000-memory.dmp

Filesize
68KB

Download
memory/1112-88-0x000007FEF6B50000-0x000007FEF6E04000-memory.dmp

Filesize
2.7MB

Download
memory/1112-111-0x000007FEF5230000-0x000007FEF5286000-memory.dmp

Filesize
344KB

Download
memory/1112-112-0x000007FEF6EB0000-0x000007FEF6ED8000-memory.dmp

Filesize
160KB

Download
memory/1112-87-0x000007FEFB4C0000-0x000007FEFB4F4000-memory.dmp

Filesize
208KB

Download
memory/1112-124-0x000007FEFB4C0000-0x000007FEFB4F4000-memory.dmp

Filesize
208KB

Download
memory/1112-126-0x000007FEF6B50000-0x000007FEF6E04000-memory.dmp

Filesize
2.7MB

Download
memory/1112-103-0x000007FEFB090000-0x000007FEFB0A1000-memory.dmp

Filesize
68KB

Download
memory/1112-127-0x000007FEF5400000-0x000007FEF64AB000-memory.dmp

Filesize
16.7MB

Download
memory/1112-86-0x000000013F270000-0x000000013F368000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads