Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2023 11:15
Static task
static1
Behavioral task
behavioral1
Sample
gsrsaovsslca2018
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
gsrsaovsslca2018
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
gsrsaovsslca2018
-
Size
5B
-
MD5
4842e206e4cfff2954901467ad54169e
-
SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
-
SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e
-
SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba
Score
1/10
Malware Config
Signatures
-
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3244 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeBackupPrivilege 2344 svchost.exe Token: SeRestorePrivilege 2344 svchost.exe Token: SeSecurityPrivilege 2344 svchost.exe Token: SeTakeOwnershipPrivilege 2344 svchost.exe Token: 35 2344 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 1248 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
OpenWith.exepid process 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe 3904 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 3904 wrote to memory of 1248 3904 OpenWith.exe NOTEPAD.EXE PID 3904 wrote to memory of 1248 3904 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\gsrsaovsslca20181⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\{BDD8D579-A75B-4DED-A1A8-95B54FCACEDE} - OProcSessId.dat2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log1⤵
- Opens file in notepad (likely ransom note)