Analysis
-
max time kernel
194s -
max time network
277s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 09:24
Behavioral task
behavioral1
Sample
9785e072ecc643a10511ccf47e721bf8.tnef
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Levi Strauss (India) Pvt. Ltd.- RRL(Ajio) Recon upto Sep23.xlsb
Resource
win10v2004-20240226-en
General
-
Target
9785e072ecc643a10511ccf47e721bf8.tnef
-
Size
2.1MB
-
MD5
9785e072ecc643a10511ccf47e721bf8
-
SHA1
29c03e2d0825ba9ab3824b50efb654c45a8acbc3
-
SHA256
c8b7dd6544ae927c180b119ca9201f61957d4111322c7ff551f64402f907d3ea
-
SHA512
11d08eebed2f580604af4ad1c726182065b8dedd20754a46444b614c1b57e846a9c53e657b4bb647055a55711f9bd03ae2bd17f07a484fe508ded8d8ee55fae1
-
SSDEEP
49152:HRQ1uIw91wprx7azpPCnBAJRXf3OKREQQr:k41wprx7azpPCnyJRP3NQr
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4716 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4828 OpenWith.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
OpenWith.exepid process 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4828 wrote to memory of 4716 4828 OpenWith.exe NOTEPAD.EXE PID 4828 wrote to memory of 4716 4828 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\9785e072ecc643a10511ccf47e721bf8.tnef1⤵
- Modifies registry class
PID:4436
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\9785e072ecc643a10511ccf47e721bf8.tnef2⤵
- Opens file in notepad (likely ransom note)
PID:4716