Analysis
-
max time kernel
49s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
release.rar
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
release.rar
Resource
win10v2004-20240319-en
5 signatures
150 seconds
General
-
Target
release.rar
-
Size
7.9MB
-
MD5
055bfe6e7bbf803236c3b1552f2ca0b1
-
SHA1
21559b4a5b1ab33dc5d91e5f3422d5d88dd70e93
-
SHA256
baa06057a238e7417c4a544875c85b8d4d408a2c4585631206530cd2360a713e
-
SHA512
410865555981d4da4eb11ab8fc37891ad01503c9bf86f30b0255460d6ed9cd3fdffa34bf4953f915254c81a6c8ed139ad389197fcd078eacdddfe92a3c5549a2
-
SSDEEP
196608:juqMF1FTRFBVltwEi790gw4RsYPdgoR2twuANg9QAFb:iqmLLBm8gw98BQwujP
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4852 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe 4020 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4852 4020 OpenWith.exe 111 PID 4020 wrote to memory of 4852 4020 OpenWith.exe 111
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\release.rar1⤵
- Modifies registry class
PID:4848
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\release.rar2⤵
- Opens file in notepad (likely ransom note)
PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=756 --field-trial-handle=2244,i,11986678581565715302,451159359636456336,262144 --variations-seed-version /prefetch:81⤵PID:4392