Resubmissions
15-04-2024 19:48
240415-yjb28sgh2y 1015-04-2024 19:06
240415-xsd3hsdf75 715-04-2024 19:02
240415-xpws6afh4x 1015-04-2024 18:45
240415-xecmjadd57 1015-04-2024 18:42
240415-xcbbpaff61 1015-04-2024 18:39
240415-xaqctsff5v 1015-04-2024 18:35
240415-w8gb5sff3w 1015-04-2024 18:27
240415-w315csfe2x 1015-04-2024 18:23
240415-w1w3mafd5t 715-04-2024 18:10
240415-wsg9hach35 7Analysis
-
max time kernel
126s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-04-2024 18:45
Behavioral task
behavioral1
Sample
archive-150424-06_04_17.rar
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
archive-150424-06_04_17.rar
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
hash.bin
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
hash.bin
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
win10v2004-20240412-en
General
-
Target
hash.bin
-
Size
171KB
-
MD5
0bedec1e0e6bafddd2c73b3c985bf489
-
SHA1
02e07ff6415046e366943d273dc1e921a69e92f3
-
SHA256
771a893e114d405bcabff6d2624c4e16a9c173ba532c65990a30716146845d83
-
SHA512
520d7962e9f45f5eff6dac25986a24120601b620586bc279055cac1a01673af8a1f296d2974ef4fcc5f6518f3af2fe416f7cacd1e1405fb3b1c70a7d69ab670c
-
SSDEEP
3072:2S0o3Mdva34ru3iUFdwJ2Lzcbpx8dAMuj60G8rV71iRvXwkYFF0k4/fwQcp9HJT:27oc9Y9T2JlAKzjZ/VKPYb8fwpJT
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1004 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exepid process 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe 1644 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1644 wrote to memory of 1004 1644 OpenWith.exe NOTEPAD.EXE PID 1644 wrote to memory of 1004 1644 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\hash.bin1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hash.bin2⤵
- Opens file in notepad (likely ransom note)