f653bed4d798544077467aaf244496a65bba82470acac38d386464336229600f | Triage

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 03:55

Sharing

Report Analysis Logs

General

Target

gentool.log
Size

2KB
MD5

3382d279ab6765c028212eed6fe17ba1
SHA1

ea15a68f6f15ad9eda643c230b07e086624e659b
SHA256

f653bed4d798544077467aaf244496a65bba82470acac38d386464336229600f
SHA512

0b6a8e5cd2d8cc7ee5b5dd344fe110d9604bd132d1747f4810c549fe0e26edebbf9d508e597b47d8c2cc26135ed8efd1975e4969b8e155d9fe77c2577dc2d7c1

Score

1^/10

Malware Config

Signatures

Modifies Control Panel 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Appearance\CustomColors = ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1512	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1512	NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\gentool.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2596

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Advanced,@Advanced
1⤵
- Modifies Control Panel
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads