Overview
overview
3Static
static
1Transfer.zip
windows10-2004-x64
1Transfer/control.lua
windows10-2004-x64
3Transfer/d...n.json
windows10-2004-x64
3Transfer/freeplay.js
windows10-2004-x64
1Transfer/info.json
windows10-2004-x64
3Transfer/l...it.dat
windows10-2004-x64
3Transfer/level.dat0
windows10-2004-x64
3Transfer/level.dat1
windows10-2004-x64
3Transfer/level.dat10
windows10-2004-x64
3Transfer/level.dat11
windows10-2004-x64
3Transfer/level.dat12
windows10-2004-x64
3Transfer/level.dat2
windows10-2004-x64
3Transfer/level.dat3
windows10-2004-x64
3Transfer/level.dat4
windows10-2004-x64
3Transfer/level.dat5
windows10-2004-x64
3Transfer/level.dat6
windows10-2004-x64
3Transfer/level.dat7
windows10-2004-x64
3Transfer/level.dat8
windows10-2004-x64
3Transfer/level.dat9
windows10-2004-x64
3Transfer/l...tadata
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/l...ay.cfg
windows10-2004-x64
3Transfer/preview.jpg
windows10-2004-x64
3Resubmissions
18/01/2024, 21:47
240118-1m8ayshghp 318/01/2024, 21:42
240118-1kd94ahgdk 118/01/2024, 21:39
240118-1h5dhaafa4 1Analysis
-
max time kernel
222s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
Transfer.zip
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Transfer/control.lua
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Transfer/description.json
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Transfer/freeplay.js
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Transfer/info.json
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Transfer/level-init.dat
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Transfer/level.dat0
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Transfer/level.dat1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Transfer/level.dat10
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Transfer/level.dat11
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Transfer/level.dat12
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Transfer/level.dat2
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Transfer/level.dat3
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Transfer/level.dat4
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Transfer/level.dat5
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Transfer/level.dat6
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Transfer/level.dat7
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Transfer/level.dat8
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Transfer/level.dat9
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Transfer/level.datmetadata
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Transfer/locale/af/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Transfer/locale/ar/freeplay.cfg
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Transfer/locale/be/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Transfer/locale/bg/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Transfer/locale/ca/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
Transfer/locale/cs/freeplay.cfg
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Transfer/locale/da/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
Transfer/locale/de/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Transfer/locale/el/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Transfer/locale/en/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Transfer/locale/es-ES/freeplay.cfg
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Transfer/preview.jpg
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
Transfer/level.dat12
-
Size
133KB
-
MD5
66045e1c4e8403051c96a895cc0ca915
-
SHA1
7e635c61e39df1475abe31444218885f4b7f7ea5
-
SHA256
e7b5072cc8161625b04361b7cb8503555c1a4030122e70001eb241ca31e8575c
-
SHA512
0b95a8e40d92016bcdb10a2d678c7109550809fbf6d9e9dea499701dd6174d1b034d85601529be733631211fead3c43531ab7566c7bbf1a286fb12375d7e5752
-
SSDEEP
3072:/vPNRy2IvKAelnyAaSpWty3GqnQDD2NUkwQK:/3KXQlnyADWtDsQNkwx
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2800 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 OpenWith.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe 1192 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2800 1192 OpenWith.exe 99 PID 1192 wrote to memory of 2800 1192 OpenWith.exe 99
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Transfer\level.dat121⤵
- Modifies registry class
PID:3304
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Transfer\level.dat122⤵
- Opens file in notepad (likely ransom note)
PID:2800
-