Overview

overview

10

Static

static

10

release.zip

windows7-x64

1

release.zip

windows10-2004-x64

1

Release/Di...at.exe

windows7-x64

10

Release/Di...at.exe

windows10-2004-x64

10

builder.exe

windows7-x64

1

builder.exe

windows10-2004-x64

1

dnlib.dll

windows7-x64

1

dnlib.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    233s
  • max time network
    242s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    release.zip

  • Size

    445KB

  • MD5

    06a4fcd5eb3a39d7f50a0709de9900db

  • SHA1

    50d089e915f69313a5187569cda4e6dec2d55ca7

  • SHA256

    c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

  • SHA512

    75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

  • SSDEEP

    12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQI:BKGo8EifSQwYWI

Score
1/10

Malware Config

Signatures

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
    1⤵
      PID:4064
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterGrant.emz
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3272
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\5a50cfb2a4404114a5f85fd60513d142 /t 4052 /p 3272
      1⤵
        PID:2596
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1432 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1624
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterGrant.emz
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:3976

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads