Analysis
-
max time kernel
102s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23/04/2024, 13:08
General
-
Target
ldr.sh
-
Size
8KB
-
MD5
96a47a0c44bae1ebdb32a009eb0ee159
-
SHA1
8472a8513cc53eac2eb9b9544a9de880b07cfdab
-
SHA256
5ca95bc554b83354d0581cdfa1d983c0efff33053defbc7e0359b68605fab781
-
SHA512
6be064c7839893e358d46c642e8851fd63b25353beb03c2080d949f8c1b3414056f21bf25152933adb2903f1f24aaa974b3195c00eee575383a9540292fd8326
-
SSDEEP
192:P+UUt819SjijlpLxfD5VGc/j3qVCNw/2xb9N94k:PxUOKjijlpLxfD5VGcjpEs
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 48 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 56 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ldr.sh1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ldr.sh2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ldr.sh3⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5e39758,0x7fef5e39768,0x7fef5e397782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1140 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3848 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3712 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2404 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2440 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2756 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3512 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1208,i,1840920488583869006,6135474147591587714,131072 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
5KB
MD52cf510b4baf8cfd8c3357c802bfd24b3
SHA1919e01c1ce37ce7375063bae1ad1de7e6673c6e0
SHA2567c77811cc75de30053dc34e9de1340a10d6f783bcc25b31d4bd05d433cdb7dac
SHA5123763cd6a247bd7e74cec4eadf63352277a8fae312b7673261542716f595d011c9c2299680af9a35856074c669c47b4431af4e8360a16db21d1c703cd6e678841
-
Filesize
24KB
MD5f782de7f00a1e90076b6b77a05fa908a
SHA14ed15dad2baa61e9627bf2179aa7b9188ce7d4e1
SHA256d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968
SHA51278ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766
-
Filesize
201KB
MD5f5bc40498b73af1cc23f51ea60130601
SHA144de2c184cf4e0a2b9106756fc860df9ed584666
SHA256c11b6273f0c5f039dfef3bf5d8efe45a2ecf65966e89eeb1a6c2277d712ae9fb
SHA5129c993ef3ec746cbe937bbe32735410257f94ceb6f734d75e401fb78dc2e3ab3b7d83c086086f0e1230dc8dafd5328f9af664341eb781c72e67c4d84d1f6c1112
-
Filesize
888B
MD595ebcd910e778cce0f2d7370dadc81e4
SHA16eb3facbf2dd878e413510f610fdf35b5dfa859d
SHA25656e77f6e635f4d38336a6e37f7e7a52e9950c5ebdca63db137e0b0a2746278e5
SHA512824f2edc0fcea0daf5ba17957125723c8c8ec7a89ded280bd52d1eb861be4c9d6287951afe04b3bbb063c94e90cc7aade5aaa9c1b03219cecd3059c109705bf0
-
Filesize
888B
MD57e4d576c29d27757d34d51714fa1b7be
SHA11366586419f545c8bf57e918079ddcd2f98a0a19
SHA256487efc80d555e66f8b8e3cc44d9d2e7a11cecf37108aeaac89883143d46b1db6
SHA51241a1a3d323077bd503d132983d75499ff82b580f5d5f7425ddc45b5a326d4d98cf9d358574f188dc6c1a527b8334601c397c9b17890f4c75997fee0b035fd94b
-
Filesize
816B
MD5ff83b682e17691e915033960202e9481
SHA1fc68872651dcf95faa5b5e92aa84faaa20129e1f
SHA2564111c5efac98b84647669152f3a6e8e1a647340eed5bbf3544c96c5f67594494
SHA5127f99e7449f55e5eb045da779dac9e4e4da7eb9471028e3f4f10d820e8a8083ea1ce6fa866e74ed35da28b708ce08ae0ac5c26017471cb71ff4f2872cc1258165
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
363B
MD5d94d0fd5cb032b0412dca5776989a21d
SHA16657359080d3e1b505fb4e52ec9ff4d51103fd66
SHA2568e71b87d4aa360e41fe4256adc7204d7b463dc68da0a87c262f4a112d7859452
SHA5125894be90184ebddcd17963805b592ceeaf2e92b0a1984ddcbf663183a734f4860c70faeb4d5984cb5ee11dc5f20cfd3720230a649457a4b3f2dfb5fdf3813cf1
-
Filesize
5KB
MD50cedd9e8872089fd19cd99578a28c46a
SHA160a7142532571478c25a87f7030269e49dfe8a6c
SHA2568f9e5222c3a9aaba6c6e1dfc9c013e5fd0429981638358c0b7873eae628c133d
SHA51284d942dcf097abff78cdd639b82f536b615e1f541b8544f50422936771b35c996edae47ea2bb5562fc4c6dd6c0c65d7998aad24da02e4f968dd2714b66d7875f
-
Filesize
5KB
MD5ebc4755aaf3a0f588a01ede9088c559c
SHA134f64090bfcac3db49ca455808d0293ee654497e
SHA25600ea81a722bd2f47cb87371d9e0635602f940b05483ada6a8c9616760dad7e2f
SHA512ad7e04365b49cf5e43667d249329d317e6a9ef0ce68b4c9ca27bc389a4d4e759b712f6e20abe0785561a02b7c1f5cc9a8a481f4550ade85a08fa1eacd7a23343
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
8KB
MD522d65ec0408f8d88110744fc94c9a88c
SHA1e578417518acf94505d821b9e677461240f038a6
SHA256c8cf9e65afc38a945d9a6bc92585a129d5e2705914de9ad54dc18f78008e6c6d
SHA5121329334e8c1afb6cb87b96314efd7e54df2a3abfb7717db4dd6ce2e604ac63bfee85ae610c80b1cf829c02f8e4cc55dbb40ba062cc5d93cc575acacdeab6d9a7
-
Filesize
4KB
-
Filesize
4KB