Overview

overview

7

Static

static

7

out.exe

windows11-21h2-x64

3

Resubmissions

01-05-2024 12:42

240501-pxmw8afa7s 7

01-05-2024 12:40

240501-pwh7msfa4y 10

01-05-2024 12:37

240501-ptvsnaha98 10

01-05-2024 12:26

240501-pmlw6seg5t 10

01-05-2024 12:25

240501-plvspaeg3t 10

Analysis

  • max time kernel
    134s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-05-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    out.exe

  • Size

    2.5MB

  • MD5

    bfee5fcb7c170441c48b1571f21b264f

  • SHA1

    d504fcfc0011c1c5965a6f250e00e2ee2adea0d1

  • SHA256

    686a4b233dd691cabbd78c936047a7791c08ed6e7843cc209e743f9418272927

  • SHA512

    0ec41702fe73b2488410a61627f08d85e623cf8d2e6917b1d17bb4954fe81c12d358e51cc0a32b00fea7c7bbfff62387412ad2248cf9d2068f261f728f940d6a

  • SSDEEP

    49152:Uzf6V1jqp9eQTwSxfHLqY+xKkmyLW5RhM0gl:UzyV0phfOtIFIl

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\out.exe
    "C:\Users\Admin\AppData\Local\Temp\out.exe"
    1⤵
      PID:4272
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 8
        2⤵
        • Program crash
        PID:3648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4272 -ip 4272
      1⤵
        PID:3544
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockPublish.ps1xml
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4440
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UninstallDisconnect.ADT"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:5020

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
        Filesize

        85B

        MD5

        7d4fd460d83bcf7a6ee871dd9c5243d1

        SHA1

        536a0f069462593338380d1d80713aa88c4f7673

        SHA256

        ab2741a10a55250526962f3721a9adaf3cf75d9d0b4fb630ec87c35f4fb13acc

        SHA512

        18cdef65f9a22e366b1b5587745b601d80334c14f1c021b392ddd9847797156cc26d1ab1fad29d5674da1b462c0a32083b3b12dbc16be49d195d9e6897e6e138

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya5020
        Filesize

        84B

        MD5

        05130fa88f47a88d6cf6cdc339acd800

        SHA1

        25eb9978e4d3fdc65c4d8cc65664276cef3037d6

        SHA256

        b0a4085579db46662ae9d00ff7b60502f044c304333c84b1cb4b24e52765cc9e

        SHA512

        d4181d5ba474487dde9bd6da481882fc1e05037993babe9103a83bec713187d17d8d48931e9bdbd7a9be48c075018954c77e25de754099edb7b40990cf4c352a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
        Filesize

        18B

        MD5

        90d422a40a1dacfe3eb1e5e5078c49fb

        SHA1

        6d2ea2e915add8c080cdd6ea86b9fda230986ca4

        SHA256

        30d05d814cff4bc088e88696056d22ca603044a4548c87e01e0e43f95123c126

        SHA512

        0a6f37de08d78832b874487c9d72078597651e5988cf90c2957a933aadce87ce7815e0abe6d841c7d4ea7db1cddf20ed051c842013e1329b16008aead5a94e69

        Download Submit

      • memory/5020-48-0x00007FFA20B30000-0x00007FFA20B64000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-47-0x00007FF696460000-0x00007FF696558000-memory.dmp

        Filesize

        992KB

        Download

      • memory/5020-49-0x00007FFA0E820000-0x00007FFA0EAD6000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/5020-50-0x00007FFA0D540000-0x00007FFA0E5F0000-memory.dmp

        Filesize

        16.7MB

        Download