Overview

overview

3

Static

static

3

Crack/rlm.dll

windows7-x64

1

Crack/rlm.dll

windows10-2004-x64

1

Resubmissions

13/11/2023, 14:53

231113-r9jfnsdc4t 3

13/11/2023, 14:50

231113-r7sassdc2s 3

13/11/2023, 14:45

231113-r47w3sdb7y 3

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/11/2023, 14:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Crack/rlm.dll

  • Size

    601KB

  • MD5

    662d0efe0002ada1d9b3927be1b5781d

  • SHA1

    aac3ff88ff7ac46bb41e4c6fe167594a9ef2eb87

  • SHA256

    f37e74206a8a6ece6e7348f754daf6abfdc3383096cb52d467651599855a6b6a

  • SHA512

    cf4d4456419323bbb0238963c9fa21f1ec10818031e437178eeecb38090b868da64caeeb53058a48be3c7d4a3d8987cf79afb4736f22757239d53f418e509945

  • SSDEEP

    12288:7fq0InUx3Gn4w534TxsPp2DiW2Yk/D1rLkLeCB6v1SygdTiVW:7qlUMnzuxsPp22pYCwfB6v1SygdTL

Score
1/10

Malware Config

Signatures

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Crack\rlm.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Crack\rlm.dll,#1
      2⤵
        PID:3240
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2768
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Crack\Readme.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4028
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Crack\rlm.dll
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1144
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Crack\Readme.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4408

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3240-0-0x0000000075300000-0x0000000075537000-memory.dmp

              Filesize

              2.2MB

              Download