Overview
overview
6Static
static
4Desktop.zip
windows7-x64
1Desktop.zip
windows10-2004-x64
1GameAssembly.dll
windows7-x64
3GameAssembly.dll
windows10-2004-x64
3Launcher.exe
windows7-x64
1Launcher.exe
windows10-2004-x64
1OnlineFix.ini
windows7-x64
1OnlineFix.ini
windows10-2004-x64
1OnlineFix.json
windows7-x64
3OnlineFix.json
windows10-2004-x64
3OnlineFix.url
windows7-x64
6OnlineFix.url
windows10-2004-x64
6OnlineFix64.dll
windows7-x64
1OnlineFix64.dll
windows10-2004-x64
1Phasmophob...2).pdf
windows7-x64
1Phasmophob...2).pdf
windows10-2004-x64
1Phasmophobia.exe
windows7-x64
1Phasmophobia.exe
windows10-2004-x64
3PhotonBridge.dll
windows7-x64
1PhotonBridge.dll
windows10-2004-x64
1SDKVersion.txt
windows7-x64
1SDKVersion.txt
windows10-2004-x64
1SteamOverlay64.dll
windows7-x64
1SteamOverlay64.dll
windows10-2004-x64
1UnityCrash...64.exe
windows7-x64
1UnityCrash...64.exe
windows10-2004-x64
1UnityPlayer.dll
windows7-x64
1UnityPlayer.dll
windows10-2004-x64
3baselib.dll
windows7-x64
3baselib.dll
windows10-2004-x64
3dlllist.txt
windows7-x64
1dlllist.txt
windows10-2004-x64
1Analysis
-
max time kernel
171s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 13:40
Behavioral task
behavioral1
Sample
Desktop.zip
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
Desktop.zip
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
GameAssembly.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
GameAssembly.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Launcher.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
Launcher.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
OnlineFix.ini
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
OnlineFix.ini
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
OnlineFix.json
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
OnlineFix.json
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
OnlineFix.url
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
OnlineFix.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
OnlineFix64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
OnlineFix64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Phasmophobia EULA (Ver 2).pdf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
Phasmophobia EULA (Ver 2).pdf
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Phasmophobia.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
Phasmophobia.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PhotonBridge.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
PhotonBridge.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
SDKVersion.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
SDKVersion.txt
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
SteamOverlay64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
SteamOverlay64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
UnityCrashHandler64.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
UnityCrashHandler64.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
UnityPlayer.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
UnityPlayer.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
baselib.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
baselib.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
dlllist.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
dlllist.txt
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
OnlineFix.json
-
Size
55B
-
MD5
51bd3de7ee7e70c96fe914e35be2e0ed
-
SHA1
fc1b6359e5fa6c9b8652bb583d736d381cf6b77a
-
SHA256
c8b63a63cde606dbec66a7ca1d2f4b455907551bdd920f922eafed91a95a602c
-
SHA512
1892e6ea3ede9ec37622a17b1ce3e7945539d1f659317500e7344aac63ade2c997a50a64479818e80dd4fdab63357c460282fdd3764e4f17cc12897b50e31f4c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.json rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1972 AcroRd32.exe 1972 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1168 1360 cmd.exe 29 PID 1360 wrote to memory of 1168 1360 cmd.exe 29 PID 1360 wrote to memory of 1168 1360 cmd.exe 29 PID 1168 wrote to memory of 1972 1168 rundll32.exe 30 PID 1168 wrote to memory of 1972 1168 rundll32.exe 30 PID 1168 wrote to memory of 1972 1168 rundll32.exe 30 PID 1168 wrote to memory of 1972 1168 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\OnlineFix.json1⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OnlineFix.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OnlineFix.json"3⤵
- Suspicious use of SetWindowsHookEx
PID:1972
-
-