0dd56b28fd1a19bc68821f464c8d1a836d1e6ca693f0df48ddebfbe641e552de

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MirrorTex.mcpack - Copy/textures/blocks/glass_silver.texture_set.json
Size

158B
MD5

08a0d83e39db001da86a31dca37a8b4f
SHA1

ff273af97c69c296f49134a8c933d729fbcb6899
SHA256

b0166a84b852aa568d89fb0dde37ff3881a358872d716c8bd5d82a719bae92f2
SHA512

3348ee0549298586f4bc5b8e3e037306095045336c7668aecaf54fc0efa191a9a933c32151a1914f7ccfbe60a174a7c57644f121815ef0f5bef006d571895576

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1212	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1908	OpenWith.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1212	1908	OpenWith.exe	88
PID 1908 wrote to memory of 1212	1908	OpenWith.exe	88

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MirrorTex.mcpack - Copy\textures\blocks\glass_silver.texture_set.json"
1⤵
- Modifies registry class
PID:5020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MirrorTex.mcpack - Copy\textures\blocks\glass_silver.texture_set.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads