b62c5f76b05543c1f980ccd972666e8fb769b9fb58fc6a0142d9044fea7d40d8

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:35

Target

Set@up#!Files-P@ssw0rD__~2402~_/libxcb-util-1.dll
Size

23KB
MD5

ee6788d3d3750421e01519a27f86634e
SHA1

48f4c7dc7bd1208f07e4176e78f035d36682d687
SHA256

b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60
SHA512

12ef0ac4cf9c8461044317e693bcfabdb4beb34a222b635ba50f6652b5a91b92ff20cb19e916ac60dca3e8314b7d8cec710a1c730374bb8f260b8d94f57c9775
SSDEEP

384:FlSwg+49czS++g6Od6e4um1J47E6Lx7Ow7qOocOS1:FlWgPdX66wwQJk

Score

4^/10

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	2100	WerFault.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1772	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3160	mspaint.exe
3160	mspaint.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1216	svchost.exe
Token: SeRestorePrivilege	1216	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2100	2492	rundll32.exe	85
PID 2492 wrote to memory of 2100	2492	rundll32.exe	85
PID 2492 wrote to memory of 2100	2492	rundll32.exe	85
PID 1216 wrote to memory of 4384	1216	svchost.exe	97
PID 1216 wrote to memory of 4384	1216	svchost.exe	97
PID 4276 wrote to memory of 1772	4276	OpenWith.exe	102
PID 4276 wrote to memory of 1772	4276	OpenWith.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Set@up#!Files-P@ssw0rD__~2402~_\libxcb-util-1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Set@up#!Files-P@ssw0rD__~2402~_\libxcb-util-1.dll,#1
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 552
    3⤵
    - Program crash
    PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2100 -ip 2100
1⤵
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\dashost.exe
  dashost.exe {3721e4d8-b7a8-44be-b61427b5ae413b47}
  2⤵
  PID:4384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CompareConvertTo.cfg
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1772

memory/2100-1-0x000000006DFD0000-0x000000006DFF3000-memory.dmp

Filesize
140KB

Download
memory/2100-0-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/2100-2-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/2100-3-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/2100-4-0x000000006DBC0000-0x000000006DBCF000-memory.dmp

Filesize
60KB

Download
memory/2100-5-0x000000006DC50000-0x000000006DC5D000-memory.dmp

Filesize
52KB

Download