3ea350fa6916e36ba67a8a17a347bb89ab2567120eb9af4cf6648c1809711274

Analysis

max time kernel
1094s
max time network
1121s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d81c09d8249410587ae.zipaj
Size

276B
MD5

0981763686ccbaeb328f9bf85101200e
SHA1

b0a27789929af7db6bc3da5e7ae7571e39b7fd76
SHA256

cfa87f6afd5ccff85a0220a4509b26150a0b6f0538c8ffc1623a9b9a4feb2684
SHA512

2655fce811abf8417a79e325bfd3f7dd022aa3a05610342f623a048cb132fc4ca5f15cb64cdfa5501b13da98c105f55e6a4b4e212af55e5e9efc4d68f9e178dc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	316	WerFault.exe	92

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2444	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe
1432	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2444	1432	OpenWith.exe	93
PID 1432 wrote to memory of 2444	1432	OpenWith.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1d81c09d8249410587ae.zipaj
1⤵
- Modifies registry class
PID:4248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1d81c09d8249410587ae.zipaj
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 316 -ip 316
1⤵
PID:2988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 316 -s 2348
1⤵
- Program crash
PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads