Overview
overview
6Static
static
1hra.rar
windows7-x64
3hra.rar
windows10-2004-x64
3hra/LLL_Ma...ources
windows7-x64
1hra/LLL_Ma...ources
windows10-2004-x64
1hra/LLL_Ma..._extra
windows7-x64
1hra/LLL_Ma..._extra
windows10-2004-x64
1hra/LLL_Ma...s.json
windows7-x64
3hra/LLL_Ma...s.json
windows10-2004-x64
3hra/LLL_Ma...s.json
windows7-x64
3hra/LLL_Ma...s.json
windows10-2004-x64
3hra/LLL_Ma...RK.wav
windows7-x64
1hra/LLL_Ma...RK.wav
windows10-2004-x64
6hra/LLL_Ma...ds.wav
windows7-x64
1hra/LLL_Ma...ds.wav
windows10-2004-x64
6hra/LLL_Ma...SM.wav
windows7-x64
1hra/LLL_Ma...SM.wav
windows10-2004-x64
6hra/LLL_Ma...sa.wav
windows7-x64
1hra/LLL_Ma...sa.wav
windows10-2004-x64
6hra/LLL_Ma...er.wav
windows7-x64
1hra/LLL_Ma...er.wav
windows10-2004-x64
6hra/LLL_Ma...ar.wav
windows7-x64
1hra/LLL_Ma...ar.wav
windows10-2004-x64
6hra/LLL_Ma...ve.wav
windows7-x64
1hra/LLL_Ma...ve.wav
windows10-2004-x64
6hra/LLL_Ma...ar.wav
windows7-x64
1hra/LLL_Ma...ar.wav
windows10-2004-x64
6hra/LLL_Ma...UT.wav
windows7-x64
1hra/LLL_Ma...UT.wav
windows10-2004-x64
6hra/LLL_Ma...al.wav
windows7-x64
1hra/LLL_Ma...al.wav
windows10-2004-x64
6hra/LLL_Ma...3).wav
windows7-x64
1hra/LLL_Ma...3).wav
windows10-2004-x64
6Analysis
-
max time kernel
152s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 18:52
Static task
static1
Behavioral task
behavioral1
Sample
hra.rar
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
hra.rar
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
hra/LLL_Mantis_Data/Resources/unity default resources
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
hra/LLL_Mantis_Data/Resources/unity default resources
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
hra/LLL_Mantis_Data/Resources/unity_builtin_extra
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
hra/LLL_Mantis_Data/Resources/unity_builtin_extra
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
hra/LLL_Mantis_Data/RuntimeInitializeOnLoads.json
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
hra/LLL_Mantis_Data/RuntimeInitializeOnLoads.json
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
hra/LLL_Mantis_Data/ScriptingAssemblies.json
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
hra/LLL_Mantis_Data/ScriptingAssemblies.json
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
hra/LLL_Mantis_Data/StreamingAssets/ARK.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
hra/LLL_Mantis_Data/StreamingAssets/ARK.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
hra/LLL_Mantis_Data/StreamingAssets/Apex Legends.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
hra/LLL_Mantis_Data/StreamingAssets/Apex Legends.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
hra/LLL_Mantis_Data/StreamingAssets/BDSM.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
hra/LLL_Mantis_Data/StreamingAssets/BDSM.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
hra/LLL_Mantis_Data/StreamingAssets/Black Mesa.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
hra/LLL_Mantis_Data/StreamingAssets/Black Mesa.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
hra/LLL_Mantis_Data/StreamingAssets/Blender.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
hra/LLL_Mantis_Data/StreamingAssets/Blender.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
hra/LLL_Mantis_Data/StreamingAssets/Call of Duty World at War.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
hra/LLL_Mantis_Data/StreamingAssets/Call of Duty World at War.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
hra/LLL_Mantis_Data/StreamingAssets/Counter-Strike Global Offensive.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
hra/LLL_Mantis_Data/StreamingAssets/Counter-Strike Global Offensive.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
hra/LLL_Mantis_Data/StreamingAssets/Cry of Fear.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
hra/LLL_Mantis_Data/StreamingAssets/Cry of Fear.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
hra/LLL_Mantis_Data/StreamingAssets/DEATH STRANDING DIRECTORS CUT.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
hra/LLL_Mantis_Data/StreamingAssets/DEATH STRANDING DIRECTORS CUT.wav
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
hra/LLL_Mantis_Data/StreamingAssets/DOOMEternal.wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
hra/LLL_Mantis_Data/StreamingAssets/DOOMEternal.wav
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
hra/LLL_Mantis_Data/StreamingAssets/Dead Space (2023).wav
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
hra/LLL_Mantis_Data/StreamingAssets/Dead Space (2023).wav
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
hra/LLL_Mantis_Data/RuntimeInitializeOnLoads.json
-
Size
2KB
-
MD5
2d7e6969699088c4870dba946330088e
-
SHA1
d4129cf0c4ef8c8dfacf5cf315776259c381d472
-
SHA256
f0fa820b5cc0effa72fd81cc0fcdfe8a9767906537fed99b80ec3187f354f051
-
SHA512
82a600ae834e50e2b7b6d374a04fbd800543b047fa27fcaf885f3af125b14f1af86a519fccd29ed740a06b0851a62c5199de8dceb9118bb980abb0fdca86a682
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.json rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1808 AcroRd32.exe 1808 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1484 1768 cmd.exe 29 PID 1768 wrote to memory of 1484 1768 cmd.exe 29 PID 1768 wrote to memory of 1484 1768 cmd.exe 29 PID 1484 wrote to memory of 1808 1484 rundll32.exe 30 PID 1484 wrote to memory of 1808 1484 rundll32.exe 30 PID 1484 wrote to memory of 1808 1484 rundll32.exe 30 PID 1484 wrote to memory of 1808 1484 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\hra\LLL_Mantis_Data\RuntimeInitializeOnLoads.json1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\hra\LLL_Mantis_Data\RuntimeInitializeOnLoads.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hra\LLL_Mantis_Data\RuntimeInitializeOnLoads.json"3⤵
- Suspicious use of SetWindowsHookEx
PID:1808
-
-