e66fd24e29c4cd33772fbda049a4efc7b55a0c22959d0d56d0fa77bd34040864

Resubmissions

28-03-2024 09:19

240328-laa3cshc5s 10

28-03-2024 09:13

240328-k6zvxseh67 10

Analysis

max time kernel
59s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app.asar.unpacked/out/shell-integration/bashrc.sh
Size

1KB
MD5

b97b17710549e1455a522e49d4f691d2
SHA1

43bdf9c6250029cc207ab37e482fe572842a68fa
SHA256

7ebf5ff6a15228778758f14d08c3abbd6098ab6bf6a8cbcfbe5f74eabb054cb7
SHA512

d0a7c8fcadfdd104e60ffb7e7ef1527dea64d0acb0b83d692b87d3eef895f72bbfd185214350adb61f14cb11b51897e8e64995f34bcd53a920f7bf322f2f9cc1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.sh	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.sh\ = "sh_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ま㸘⨀蠀㭀端Ʌ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ま㸘⨀蠀㭀端Ʌ\ = "sh_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\み㸙⬀耀Ɔ\ = "sh_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\み㸙⬀耀Ɔ	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

384 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3960 OpenWith.exe

pid	process
384	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

OpenWith.exe

pid	process
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe
3960	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	process	target process
PID 3960 wrote to memory of 384	3960	OpenWith.exe	NOTEPAD.EXE
PID 3960 wrote to memory of 384	3960	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\out\shell-integration\bashrc.sh
1⤵
- Modifies registry class
PID:2868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\out\shell-integration\bashrc.sh
2⤵
- Opens file in notepad (likely ransom note)
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
1⤵
PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads