4092271557d4677645efabdac5c87df345de795f01e0e68a1da3c0a5d7fa11e5

Analysis

max time kernel
144s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
06/07/2023, 19:47

Target

bootdecoder.zip
Size

341KB
MD5

276944486fe92de4379efd9dcf667fa8
SHA1

6df2b78653774f263d149d7d1f8803b7f95e2a4c
SHA256

4092271557d4677645efabdac5c87df345de795f01e0e68a1da3c0a5d7fa11e5
SHA512

037363567bca262240a3febe1015f70d6d288ca549ac55f79f183efda47da8a44e2ce2fc5e6dd0e1e5d4bd5b5fd101a96eca235103dd92bc9f6a00cc355f4b11
SSDEEP

6144:PR9Dm7m3oue9XcS97D2km7aNti8OP0j8jlO:PR9gYtelRKuNtircj85O

Score

1^/10

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
4312	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 4728	492	cmd.exe	78
PID 492 wrote to memory of 4728	492	cmd.exe	78
PID 4728 wrote to memory of 3788	4728	lua.exe	79
PID 4728 wrote to memory of 3788	4728	lua.exe	79
PID 3788 wrote to memory of 3884	3788	cmd.exe	80
PID 3788 wrote to memory of 3884	3788	cmd.exe	80
PID 492 wrote to memory of 2100	492	cmd.exe	81
PID 492 wrote to memory of 2100	492	cmd.exe	81
PID 2100 wrote to memory of 4712	2100	lua.exe	82
PID 2100 wrote to memory of 4712	2100	lua.exe	82
PID 4712 wrote to memory of 3928	4712	cmd.exe	83
PID 4712 wrote to memory of 3928	4712	cmd.exe	83

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\bootdecoder.zip
1⤵
PID:4156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CompressResolve.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:492
- C:\Users\Admin\Desktop\bootdecoder\lua.exe
  lua.exe extract.lua
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ndisasm.exe extracted.bin -o extracted_asm.asm
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\Desktop\bootdecoder\ndisasm.exe
      ndisasm.exe extracted.bin -o extracted_asm.asm
      4⤵
      PID:3884
- C:\Users\Admin\Desktop\bootdecoder\lua.exe
  lua.exe extract.lua
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ndisasm.exe extracted.bin -o extracted_asm.asm
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\Desktop\bootdecoder\ndisasm.exe
      ndisasm.exe extracted.bin -o extracted_asm.asm
      4⤵
      PID:3928

C:\Users\Admin\Desktop\bootdecoder\extracted.bin

Filesize
512B

MD5
9c44c975675cf21b84fdfe4a6e1569ef

SHA1
665d545bffc0d951663c580d075ba257848a45ed

SHA256
8a798cdb3fe69f4563e592db8a6138f9c2bf77d2aabd745ab85fc95e79decbdd

SHA512
9d32fdffd2855383aec3da63bf93881b187af428e25a598fa95e096ce0f645346b7ab64bf063245a7f4f71803fe78ffbb8d6f110087391d076be683d7a50a5fe

Download Submit
memory/2100-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2100-128-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download
memory/3884-121-0x00007FF772B70000-0x00007FF772C89000-memory.dmp

Filesize
1.1MB

Download
memory/3928-126-0x00007FF772B70000-0x00007FF772C89000-memory.dmp

Filesize
1.1MB

Download
memory/4728-122-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4728-123-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download