Overview

overview

7

Static

static

3

OhSoft OCa...m].rar

windows7-x64

3

OhSoft OCa...ED.rar

windows7-x64

3

AMPED/Patch.exe

windows7-x64

7

amped.nfo

windows7-x64

1

file_id.diz

windows7-x64

3

OhSoft OCa....0.exe

windows7-x64

4

Visit www....om.url

windows7-x64

1

Analysis

  • max time kernel
    1568s
  • max time network
    1569s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file_id.diz

  • Size

    304B

  • MD5

    68e5f45e300a811208a8b9ef0536d1c0

  • SHA1

    e494fd0fe1dd743428fcfea441624143bdf71bdd

  • SHA256

    0b50191cae6f1f9cc13aba4798f596693330cfff7b9541160ecd9bc401c80477

  • SHA512

    7c3a5a547ed1097104e04b4e0286a2d76fb91d1b9b5e6294d6b1adc03d0a7caa601b6dc4864f468f8a885564ae7c3a89ed7e778039ba8404ae6f21ad6c2ed8b6

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\file_id.diz
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file_id.diz
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\file_id.diz
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads