1d8c80f52a16666330f204788cc9eb42d0439a4ff81ae39ffdf3ad3103751366

Analysis

max time kernel
294s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Protect.rar
Size

2.9MB
MD5

3b2cbe7b708cc29f9bd6131bb5f713f7
SHA1

748d27ad13d0216f924735317be579ff7adcaa20
SHA256

1d8c80f52a16666330f204788cc9eb42d0439a4ff81ae39ffdf3ad3103751366
SHA512

3565f70813adbfb06226a26ecd66fb068c03b7a17565bafa5ef507ca49a839d6cff053a682ce27eab25b9a817e5b794bd25dac2b31172b7e8708679eec1f2303
SSDEEP

49152:I5Bdkfblp10z/MDhhEEJrneobhInah3edweoDfkOJxm/zDrTUwjzNpOBOzm0:I5BslPKMDhhrVnNS0ew5Ds3zDUwPjOM3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2924 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2924 vlc.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

vlc.exe

pid process

2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
2924 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2924 vlc.exe

pid	process
2924	vlc.exe

pid	process
2924	vlc.exe

pid	process
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe

pid	process
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe
2924	vlc.exe

pid	process
2924	vlc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2052 wrote to memory of 2180	2052	cmd.exe	rundll32.exe
PID 2052 wrote to memory of 2180	2052	cmd.exe	rundll32.exe
PID 2052 wrote to memory of 2180	2052	cmd.exe	rundll32.exe
PID 2180 wrote to memory of 3020	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3020	2180	rundll32.exe	rundll32.exe
PID 2180 wrote to memory of 3020	2180	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 2924	3020	rundll32.exe	vlc.exe
PID 3020 wrote to memory of 2924	3020	rundll32.exe	vlc.exe
PID 3020 wrote to memory of 2924	3020	rundll32.exe	vlc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Protect.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Protect.rar
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Protect.rar
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Protect.rar"
4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2924

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-30-0x000007FEFAD70000-0x000007FEFADA4000-memory.dmp

Filesize
208KB

Download
memory/2924-29-0x000000013F030000-0x000000013F128000-memory.dmp

Filesize
992KB

Download
memory/2924-32-0x000007FEFAD50000-0x000007FEFAD68000-memory.dmp

Filesize
96KB

Download
memory/2924-33-0x000007FEFAD30000-0x000007FEFAD47000-memory.dmp

Filesize
92KB

Download
memory/2924-34-0x000007FEFAD10000-0x000007FEFAD21000-memory.dmp

Filesize
68KB

Download
memory/2924-35-0x000007FEFACF0000-0x000007FEFAD07000-memory.dmp

Filesize
92KB

Download
memory/2924-36-0x000007FEF78E0000-0x000007FEF78F1000-memory.dmp

Filesize
68KB

Download
memory/2924-37-0x000007FEF78C0000-0x000007FEF78DD000-memory.dmp

Filesize
116KB

Download
memory/2924-38-0x000007FEF7640000-0x000007FEF7651000-memory.dmp

Filesize
68KB

Download
memory/2924-31-0x000007FEF5EF0000-0x000007FEF61A6000-memory.dmp

Filesize
2.7MB

Download
memory/2924-45-0x000007FEF6C30000-0x000007FEF6C41000-memory.dmp

Filesize
68KB

Download
memory/2924-47-0x000007FEF6A10000-0x000007FEF6A2B000-memory.dmp

Filesize
108KB

Download
memory/2924-48-0x000007FEF6610000-0x000007FEF6621000-memory.dmp

Filesize
68KB

Download
memory/2924-40-0x000007FEF5A60000-0x000007FEF5C6B000-memory.dmp

Filesize
2.0MB

Download
memory/2924-41-0x000007FEF6A80000-0x000007FEF6AC1000-memory.dmp

Filesize
260KB

Download
memory/2924-44-0x000007FEF7060000-0x000007FEF7071000-memory.dmp

Filesize
68KB

Download
memory/2924-46-0x000007FEF6A30000-0x000007FEF6A41000-memory.dmp

Filesize
68KB

Download
memory/2924-43-0x000007FEF7620000-0x000007FEF7638000-memory.dmp

Filesize
96KB

Download
memory/2924-50-0x000007FEF65C0000-0x000007FEF65F0000-memory.dmp

Filesize
192KB

Download
memory/2924-59-0x000007FEF58B0000-0x000007FEF58C1000-memory.dmp

Filesize
68KB

Download
memory/2924-60-0x000007FEF5890000-0x000007FEF58A2000-memory.dmp

Filesize
72KB

Download
memory/2924-58-0x000007FEF58D0000-0x000007FEF58F3000-memory.dmp

Filesize
140KB

Download
memory/2924-57-0x000007FEF5900000-0x000007FEF5918000-memory.dmp

Filesize
96KB

Download
memory/2924-56-0x000007FEF5920000-0x000007FEF5944000-memory.dmp

Filesize
144KB

Download
memory/2924-55-0x000007FEF5950000-0x000007FEF5978000-memory.dmp

Filesize
160KB

Download
memory/2924-54-0x000007FEF5980000-0x000007FEF59D7000-memory.dmp

Filesize
348KB

Download
memory/2924-53-0x000007FEF6530000-0x000007FEF6541000-memory.dmp

Filesize
68KB

Download
memory/2924-52-0x000007FEF59E0000-0x000007FEF5A5C000-memory.dmp

Filesize
496KB

Download
memory/2924-51-0x000007FEF6550000-0x000007FEF65B7000-memory.dmp

Filesize
412KB

Download
memory/2924-49-0x000007FEF65F0000-0x000007FEF6608000-memory.dmp

Filesize
96KB

Download
memory/2924-42-0x000007FEF6A50000-0x000007FEF6A71000-memory.dmp

Filesize
132KB

Download
memory/2924-39-0x000007FEF42D0000-0x000007FEF5380000-memory.dmp

Filesize
16.7MB

Download