ca0273c55507c3aae95539812c2c5d9bbdc80deb8e714360fe4bcc65d257aeb0

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 12:59

Target

07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799.dll
Size

838KB
MD5

afa27795c0c86b6afeb138d0fb09506b
SHA1

d32e44f7e04a8c84e7159ed020dcf26b6e51416e
SHA256

07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
SHA512

85e92d60000981d836c8fe102a191e21c94f6add14fef0dd33816060699dfa5a05e1db38bd8b7194ad9e1ff30240bfdf807f91d0abe535733e2a2fc1d7264fc0
SSDEEP

24576:pyAo7FAIP03acBtXWKe25ep59MxQU08wHG3MJAQof1hB:Lo7ARBtmKe28MSU08wHaM6Qo1hB

Score

1^/10

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.agnkdbd5y\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.agnkdbd5y	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.agnkdbd5y\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4848 notepad.exe

pid	process
4848	notepad.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 4792	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 4792	1096	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 4792	1096	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 2088	4792	rundll32.exe	cmd.exe
PID 4792 wrote to memory of 2088	4792	rundll32.exe	cmd.exe
PID 4792 wrote to memory of 2088	4792	rundll32.exe	cmd.exe
PID 2088 wrote to memory of 4848	2088	cmd.exe	notepad.exe
PID 2088 wrote to memory of 4848	2088	cmd.exe	notepad.exe
PID 2088 wrote to memory of 4848	2088	cmd.exe	notepad.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799.dll,#1
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe c:\instructions_read_me.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:4848