Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
02-09-2023 17:50
General
-
Target
trauma..exe
-
Size
111KB
-
MD5
e63902231216ab8f0251b6671e20c57e
-
SHA1
00dc44778b35de171f47783ab27494dcc460d296
-
SHA256
39b899eb2e032c099d5011348ca54c3212a0732a1df9e21fa54f9af22394240d
-
SHA512
8dfcd1835159197c822b3914f43bd691f4f9455e04f993b0a9b190cf1fd63088db255b59f73b98d9a18e46529bb5725481e939ea960c488ba79d52b6d730d34c
-
SSDEEP
1536:g2Y0VNblnigen1FQGpaika1PASjg/oVRHhbY9:g23rbZi/8GprF3jg/oH5Y9
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
Opens file in notepad (likely ransom note) 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 45 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\trauma..exe"C:\Users\Admin\AppData\Local\Temp\trauma..exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=00252⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con:cols=0080 lines=00253⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Window Title2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\i6.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\i6.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\i6.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\i6.f2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\i6.t2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.0.97515552\1348507608" -parentBuildID 20221007134813 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32b99cc3-0742-46f9-be05-8e95254e9295} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 2016 1d9807d8f58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.1.567676764\1558825419" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02128d50-d909-4e2b-980f-95e851616024} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 2424 1d9802e6558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.2.30407088\1622083239" -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d83eddd-7308-4ef5-b4af-dcb77b21494f} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 3416 1d984706b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.3.971726770\835966717" -childID 2 -isForBrowser -prefsHandle 1048 -prefMapHandle 1044 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cf06d1-4c55-490b-922a-57498b171415} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 3052 1d985304758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.4.1801559031\665700883" -childID 3 -isForBrowser -prefsHandle 3424 -prefMapHandle 4112 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e53044-084b-4dd9-86e3-6f2159cf9f5c} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 4092 1d985c51958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.5.1729229583\2036330496" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 26575 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {300b50ab-c096-47cf-b6de-245576c5c011} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5144 1d98762cc58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.7.216125325\962324880" -childID 6 -isForBrowser -prefsHandle 5364 -prefMapHandle 5444 -prefsLen 26575 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4892f04-4cf9-4193-a3f4-9b8ae5fad2cc} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5388 1d983941e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.6.1540510289\1635556865" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5288 -prefsLen 26575 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c39e50-b3b2-4913-a684-7ec5dab24b41} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5144 1d9830d6858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.8.1580326858\1614334682" -parentBuildID 20221007134813 -prefsHandle 6032 -prefMapHandle 6040 -prefsLen 26656 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a631320-b80e-4db2-a04f-e000c84d1c7c} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 6048 1d988dd0e58 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.9.2112574237\1752145319" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6188 -prefMapHandle 6184 -prefsLen 26656 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5c07a9-0c92-4f97-8307-eecd267ac0cd} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 6196 1d987c81558 utility3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.10.432621893\1818115586" -childID 7 -isForBrowser -prefsHandle 6320 -prefMapHandle 6188 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0756c65-35fb-4a3f-9d7f-1fdb58003c59} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 6312 1d988e20458 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD524308305b90f8ebab79b76394dc0b26f
SHA1dbbb53d88179dcb165926b6df587adac09f4022b
SHA256086a2c5f85498debd6be4a687e18b252f2f67b73ae7ef74bd55195a52bb74946
SHA512f849dc2d5c30d9520cc708eb557d72ace184813d88c0e6268d1512368998d9926b9f5a3167983346c97af2d49a4ad1492816dabb55ecc59f77dc9eb85e0b4bcd
-
Filesize
173B
MD50f8f70e88009593eefaa155a8e31b1d6
SHA1eabcc3f2135e0919e9456da0a4b1084f3382d4b6
SHA256941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b
SHA51294df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750
-
Filesize
32B
MD5d406619e40f52369e12ae4671b16a11a
SHA19c5748148612b1eefaacf368fbf5dbcaa8dea6d0
SHA2562e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be
SHA5124d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
Filesize
6KB
MD53d0a69a6dd29468fabf7feda5b46ea9a
SHA1f0d10dd54809cae336730443c07d73cdeba2a298
SHA25635a2d42db6d0981879acc5db0c5777468e1d3cb2bc0b7763156abaaf1b6e796c
SHA512f0a297415bec652e7bc16fa81fe997da052e3762dae1e8fc4b08c48ae569882d7e317b6fad0786242e1767203b6a2fefd2db26911ee022ab18ff137482080f8c
-
Filesize
6KB
MD51be3e1a738b7eaf059175e6bb51db9af
SHA113087109073ee04fe74fbe8e1e8c180b6268ec19
SHA2561eae54f569864beec87765b180e70042b8b5288f275167ff78aebe6223b41b01
SHA512faa27a7eb07032753b8a00e59ca7d566618c530a806b6c94f43436a3b9f19de7203834c9ad5a8866006add5f4bf727a5604c26e4a48a0d0e2e77971acb3c9fad
-
Filesize
3KB
MD5bb05c29b7a5f49b72234efa7ee2641d8
SHA127c27d95294197de3542f586fa4fbb00d6b580fb
SHA256f26917419c0a40d051b1d19b46a37ba2df46ed89a9ce07bceda1204972058748
SHA512afaefde2a537d5bcac2082ae15d90d596b04b01395643ca3b049fd3e334d3f085f43b1eb4634de384365ae2e93fe958c166561650ffdab1491fd5d935fe7b296