Analysis Overview
SHA256
c529cd95c0c85ca18df3e690f840e51d0be33b5b92f8bf1e9f91821eaedac68c
Threat Level: Known bad
The file rha.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: CmdExeWriteProcessMemorySpam
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 20:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:25
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4064 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4064 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4064 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4360 -ip 4360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:25
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
127s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4432 created 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\system32\sihost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 4432 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 2724 wrote to memory of 4432 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 2724 wrote to memory of 4432 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 4432 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4432 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4432 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4432 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4432 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
C:\Users\Admin\AppData\Local\Temp\file.exe
"file.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 235.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4432-0-0x0000000000530000-0x0000000000591000-memory.dmp
memory/4432-1-0x0000000003920000-0x0000000003D20000-memory.dmp
memory/4432-3-0x0000000003920000-0x0000000003D20000-memory.dmp
memory/4432-2-0x0000000003920000-0x0000000003D20000-memory.dmp
memory/4432-4-0x00007FFADD230000-0x00007FFADD425000-memory.dmp
memory/4432-6-0x0000000003920000-0x0000000003D20000-memory.dmp
memory/4432-7-0x0000000075F40000-0x0000000076155000-memory.dmp
memory/4600-8-0x0000000000EF0000-0x0000000000EF9000-memory.dmp
memory/4600-11-0x0000000002AA0000-0x0000000002EA0000-memory.dmp
memory/4600-10-0x0000000002AA0000-0x0000000002EA0000-memory.dmp
memory/4600-14-0x0000000002AA0000-0x0000000002EA0000-memory.dmp
memory/4600-15-0x0000000075F40000-0x0000000076155000-memory.dmp
memory/4600-12-0x00007FFADD230000-0x00007FFADD425000-memory.dmp
memory/4600-16-0x0000000002AA0000-0x0000000002EA0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\rha.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.138.73.23.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 880 created 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\system32\sihost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 880 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 880 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 880 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 880 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 880 wrote to memory of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\dialer.exe |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.137.73.23.in-addr.arpa | udp |
Files
memory/880-0-0x0000000000060000-0x00000000000C1000-memory.dmp
memory/880-1-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/880-3-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/880-2-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/880-4-0x00007FFDAC4D0000-0x00007FFDAC6C5000-memory.dmp
memory/4484-8-0x0000000001260000-0x0000000001269000-memory.dmp
memory/880-7-0x0000000076660000-0x0000000076875000-memory.dmp
memory/880-5-0x00000000037A0000-0x0000000003BA0000-memory.dmp
memory/4484-10-0x0000000002E00000-0x0000000003200000-memory.dmp
memory/4484-11-0x00007FFDAC4D0000-0x00007FFDAC6C5000-memory.dmp
memory/4484-14-0x0000000002E00000-0x0000000003200000-memory.dmp
memory/4484-13-0x0000000076660000-0x0000000076875000-memory.dmp
memory/4484-15-0x0000000002E00000-0x0000000003200000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:25
Platform
win7-20240215-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1304 wrote to memory of 312 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 1304 wrote to memory of 312 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 1304 wrote to memory of 312 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 1304 wrote to memory of 312 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
C:\Users\Admin\AppData\Local\Temp\file.exe
"file.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:25
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bin | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bin\ = "bin_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 2288 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2944 wrote to memory of 2288 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2944 wrote to memory of 2288 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2288 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2288 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2288 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2288 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data.bin
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data.bin"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 036b4892ae6ecb7d97e1c9b8400291ac |
| SHA1 | a307aff9142aa2208252c0569e42e15c2ed14ba8 |
| SHA256 | 983a7bd10fcfc36b66ea1bbc4eeffe54976f7e10f2c843b48c4643483fd9c384 |
| SHA512 | 99b3cff0a271538008152167400c668535231e3a97e9a968f51db482e3f1167de16ed2acfe0a62135f3fa207d6e13800060af9692c8f93b12b01c66a4e04db23 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win10v2004-20240319-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data.bin
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| NL | 142.251.39.110:443 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 172.217.18.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win7-20240221-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestartSet.cmd
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\AddSplit.js
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-05 20:22
Reported
2024-04-05 20:26
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\g2m.dll,#1