Analysis Overview
SHA256
b462f02dd577e498077844af0a4f5b1a28fa6b141c0ceb0966bed1b43687d895
Threat Level: Shows suspicious behavior
The file If i Dead.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 13:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 13:40
Reported
2024-06-13 13:41
Platform
win10v2004-20240508-en
Max time kernel
61s
Max time network
53s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 4444 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2984 wrote to memory of 4444 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2984 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2984 wrote to memory of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\If i Dead.exe
"C:\Users\Admin\AppData\Local\Temp\If i Dead.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x3d8
Network
Files
C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3
| MD5 | 7cb3e4c3fc26d1393707287b8d40f067 |
| SHA1 | d8a130712a2737eb5840e81b8d08b52102e670ef |
| SHA256 | 5d30f3b0a787caa9d85659c288db9ecd40e8fa1272bba30b162d61a8c7c5efec |
| SHA512 | 062a770d2aa8f6ea1b6c6cf4e8ca663aecd96dc66d93ada24e1b9557e298d62de317c61a4f5ebb4e458e7c2b6ac883fb2438797f1b0aff03807fb786934705d1 |
C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
| MD5 | b2c4715dd95d2d140eb3bc9795f149bc |
| SHA1 | 5c578e8552566f85c6924587c370d10d06a4d8dd |
| SHA256 | 3d16b171927526f7f16b7f05d16c3d783c015b1de03252f51cffa4aecd7648b8 |
| SHA512 | 468d77488f94dfb1198b5339848a71cd4d74132047dc0fa88188f3e0b16e99274a41baf8167d04d9241d49e10ce6a1870dcafe7e1e0b5b5082bd655e07405685 |
memory/4444-16-0x00007FF798750000-0x00007FF798848000-memory.dmp
memory/4444-17-0x00007FFC085A0000-0x00007FFC085D4000-memory.dmp
memory/4444-25-0x00007FFC07EE0000-0x00007FFC07EF1000-memory.dmp
memory/4444-18-0x00007FFBF83A0000-0x00007FFBF8656000-memory.dmp
memory/4444-24-0x00007FFC07F00000-0x00007FFC07F1D000-memory.dmp
memory/4444-26-0x00007FFBF8820000-0x00007FFBF8A2B000-memory.dmp
memory/4444-23-0x00007FFC07F20000-0x00007FFC07F31000-memory.dmp
memory/4444-22-0x00007FFC088F0000-0x00007FFC08907000-memory.dmp
memory/4444-21-0x00007FFC08910000-0x00007FFC08921000-memory.dmp
memory/4444-20-0x00007FFC0B4F0000-0x00007FFC0B507000-memory.dmp
memory/4444-19-0x00007FFC0D730000-0x00007FFC0D748000-memory.dmp
memory/4444-33-0x00007FFC07C40000-0x00007FFC07C51000-memory.dmp
memory/4444-32-0x00007FFC07D10000-0x00007FFC07D21000-memory.dmp
memory/4444-31-0x00007FFC07D30000-0x00007FFC07D41000-memory.dmp
memory/4444-30-0x00007FFC07D50000-0x00007FFC07D68000-memory.dmp
memory/4444-27-0x00007FFBF7100000-0x00007FFBF81B0000-memory.dmp
memory/4444-29-0x00007FFC07EB0000-0x00007FFC07ED1000-memory.dmp
memory/4444-28-0x00007FFC07D70000-0x00007FFC07DB1000-memory.dmp
memory/4444-45-0x00007FFBF7100000-0x00007FFBF81B0000-memory.dmp
memory/4444-54-0x00007FFBF83A0000-0x00007FFBF8656000-memory.dmp
memory/4444-63-0x00007FFBF7100000-0x00007FFBF81B0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 13:40
Reported
2024-06-13 13:41
Platform
win11-20240508-en
Max time kernel
62s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4952 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 4952 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 4952 wrote to memory of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4952 wrote to memory of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\If i Dead.exe
"C:\Users\Admin\AppData\Local\Temp\If i Dead.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x0000000000000490
Network
Files
C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3
| MD5 | 7cb3e4c3fc26d1393707287b8d40f067 |
| SHA1 | d8a130712a2737eb5840e81b8d08b52102e670ef |
| SHA256 | 5d30f3b0a787caa9d85659c288db9ecd40e8fa1272bba30b162d61a8c7c5efec |
| SHA512 | 062a770d2aa8f6ea1b6c6cf4e8ca663aecd96dc66d93ada24e1b9557e298d62de317c61a4f5ebb4e458e7c2b6ac883fb2438797f1b0aff03807fb786934705d1 |
C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
| MD5 | b2c4715dd95d2d140eb3bc9795f149bc |
| SHA1 | 5c578e8552566f85c6924587c370d10d06a4d8dd |
| SHA256 | 3d16b171927526f7f16b7f05d16c3d783c015b1de03252f51cffa4aecd7648b8 |
| SHA512 | 468d77488f94dfb1198b5339848a71cd4d74132047dc0fa88188f3e0b16e99274a41baf8167d04d9241d49e10ce6a1870dcafe7e1e0b5b5082bd655e07405685 |
memory/1992-16-0x00007FF7DC2F0000-0x00007FF7DC3E8000-memory.dmp
memory/1992-17-0x00007FFBADEB0000-0x00007FFBADEE4000-memory.dmp
memory/1992-25-0x00007FFBAE780000-0x00007FFBAE791000-memory.dmp
memory/1992-27-0x00007FFBAE4E0000-0x00007FFBAE521000-memory.dmp
memory/1992-26-0x00007FFBAE040000-0x00007FFBAE24B000-memory.dmp
memory/1992-18-0x00007FFBADA00000-0x00007FFBADCB6000-memory.dmp
memory/1992-24-0x00007FFBAE970000-0x00007FFBAE98D000-memory.dmp
memory/1992-23-0x00007FFBB13F0000-0x00007FFBB1401000-memory.dmp
memory/1992-22-0x00007FFBB1520000-0x00007FFBB1537000-memory.dmp
memory/1992-41-0x00007FFBAE2E0000-0x00007FFBAE2F8000-memory.dmp
memory/1992-40-0x00007FFBAE300000-0x00007FFBAE311000-memory.dmp
memory/1992-39-0x00007FFBADDC0000-0x00007FFBADE3C000-memory.dmp
memory/1992-38-0x00007FFBADE40000-0x00007FFBADEA7000-memory.dmp
memory/1992-37-0x00007FFBAE320000-0x00007FFBAE350000-memory.dmp
memory/1992-28-0x00007FFB9BE30000-0x00007FFB9CEE0000-memory.dmp
memory/1992-36-0x00007FFBAE350000-0x00007FFBAE368000-memory.dmp
memory/1992-35-0x00007FFBAE420000-0x00007FFBAE431000-memory.dmp
memory/1992-34-0x00007FFBAE440000-0x00007FFBAE45B000-memory.dmp
memory/1992-33-0x00007FFBAE460000-0x00007FFBAE471000-memory.dmp
memory/1992-32-0x00007FFBAE480000-0x00007FFBAE491000-memory.dmp
memory/1992-31-0x00007FFBAE4A0000-0x00007FFBAE4B1000-memory.dmp
memory/1992-42-0x00007FFB9A5C0000-0x00007FFB9BE2F000-memory.dmp
memory/1992-30-0x00007FFBAE4C0000-0x00007FFBAE4D8000-memory.dmp
memory/1992-29-0x00007FFBAE660000-0x00007FFBAE681000-memory.dmp
memory/1992-21-0x00007FFBB1540000-0x00007FFBB1551000-memory.dmp
memory/1992-20-0x00007FFBB1560000-0x00007FFBB1577000-memory.dmp
memory/1992-19-0x00007FFBB1580000-0x00007FFBB1598000-memory.dmp
memory/1992-55-0x00007FFB9BE30000-0x00007FFB9CEE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 13:40
Reported
2024-06-13 13:42
Platform
win7-20240419-en
Max time kernel
70s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2940 wrote to memory of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2940 wrote to memory of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2940 wrote to memory of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2940 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2940 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2940 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\If i Dead.exe
"C:\Users\Admin\AppData\Local\Temp\If i Dead.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
Network
Files
C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
| MD5 | b2c4715dd95d2d140eb3bc9795f149bc |
| SHA1 | 5c578e8552566f85c6924587c370d10d06a4d8dd |
| SHA256 | 3d16b171927526f7f16b7f05d16c3d783c015b1de03252f51cffa4aecd7648b8 |
| SHA512 | 468d77488f94dfb1198b5339848a71cd4d74132047dc0fa88188f3e0b16e99274a41baf8167d04d9241d49e10ce6a1870dcafe7e1e0b5b5082bd655e07405685 |
C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3
| MD5 | 7cb3e4c3fc26d1393707287b8d40f067 |
| SHA1 | d8a130712a2737eb5840e81b8d08b52102e670ef |
| SHA256 | 5d30f3b0a787caa9d85659c288db9ecd40e8fa1272bba30b162d61a8c7c5efec |
| SHA512 | 062a770d2aa8f6ea1b6c6cf4e8ca663aecd96dc66d93ada24e1b9557e298d62de317c61a4f5ebb4e458e7c2b6ac883fb2438797f1b0aff03807fb786934705d1 |
memory/2648-11-0x000000013F550000-0x000000013F648000-memory.dmp
memory/2648-12-0x000007FEF7C10000-0x000007FEF7C44000-memory.dmp
memory/2648-16-0x000007FEF7BF0000-0x000007FEF7C01000-memory.dmp
memory/2648-20-0x000007FEF6280000-0x000007FEF6291000-memory.dmp
memory/2648-19-0x000007FEF6DD0000-0x000007FEF6DED000-memory.dmp
memory/2648-13-0x000007FEF5B60000-0x000007FEF5E16000-memory.dmp
memory/2648-18-0x000007FEF6DF0000-0x000007FEF6E01000-memory.dmp
memory/2648-17-0x000007FEF6E10000-0x000007FEF6E27000-memory.dmp
memory/2648-15-0x000007FEFA420000-0x000007FEFA437000-memory.dmp
memory/2648-14-0x000007FEFB1C0000-0x000007FEFB1D8000-memory.dmp
memory/2648-27-0x000007FEF61A0000-0x000007FEF61B1000-memory.dmp
memory/2648-29-0x000007FEF4860000-0x000007FEF487B000-memory.dmp
memory/2648-37-0x000007FEF46A0000-0x000007FEF46B1000-memory.dmp
memory/2648-36-0x000007FEF46C0000-0x000007FEF46D8000-memory.dmp
memory/2648-40-0x000007FEF45F0000-0x000007FEF4603000-memory.dmp
memory/2648-47-0x000007FEF27B0000-0x000007FEF27F2000-memory.dmp
memory/2648-48-0x000007FEF2740000-0x000007FEF27A2000-memory.dmp
memory/2648-46-0x000007FEF2800000-0x000007FEF2816000-memory.dmp
memory/2648-50-0x000007FEF26B0000-0x000007FEF26C5000-memory.dmp
memory/2648-52-0x000007FEF2650000-0x000007FEF2662000-memory.dmp
memory/2648-51-0x000007FEF2670000-0x000007FEF2681000-memory.dmp
memory/2648-21-0x000007FEF4AB0000-0x000007FEF5B60000-memory.dmp
memory/2648-49-0x000007FEF26D0000-0x000007FEF273D000-memory.dmp
memory/2648-45-0x000007FEFA410000-0x000007FEFA420000-memory.dmp
memory/2648-53-0x000007FEF24D0000-0x000007FEF264A000-memory.dmp
memory/2648-44-0x000007FEF2820000-0x000007FEF2844000-memory.dmp
memory/2648-43-0x000007FEF2850000-0x000007FEF2878000-memory.dmp
memory/2648-42-0x000007FEF4500000-0x000007FEF45C5000-memory.dmp
memory/2648-41-0x000007FEF45D0000-0x000007FEF45E1000-memory.dmp
memory/2648-39-0x000007FEF4610000-0x000007FEF463F000-memory.dmp
memory/2648-38-0x000007FEF4640000-0x000007FEF4697000-memory.dmp
memory/2648-35-0x000007FEF46E0000-0x000007FEF46F1000-memory.dmp
memory/2648-34-0x000007FEF4700000-0x000007FEF477C000-memory.dmp
memory/2648-33-0x000007FEF4780000-0x000007FEF47E7000-memory.dmp
memory/2648-32-0x000007FEF47F0000-0x000007FEF4820000-memory.dmp
memory/2648-31-0x000007FEF4820000-0x000007FEF4838000-memory.dmp
memory/2648-30-0x000007FEF4840000-0x000007FEF4851000-memory.dmp
memory/2648-28-0x000007FEF4880000-0x000007FEF4891000-memory.dmp
memory/2648-26-0x000007FEF61C0000-0x000007FEF61D1000-memory.dmp
memory/2648-25-0x000007FEF61E0000-0x000007FEF61F8000-memory.dmp
memory/2648-24-0x000007FEF6200000-0x000007FEF6221000-memory.dmp
memory/2648-23-0x000007FEF6230000-0x000007FEF6271000-memory.dmp
memory/2648-22-0x000007FEF48A0000-0x000007FEF4AAB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 13:40
Reported
2024-06-13 13:42
Platform
win10-20240404-en
Max time kernel
71s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1452 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 1452 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 1452 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1452 wrote to memory of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\If i Dead.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\If i Dead.exe
"C:\Users\Admin\AppData\Local\Temp\If i Dead.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4
Network
Files
C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
| MD5 | b2c4715dd95d2d140eb3bc9795f149bc |
| SHA1 | 5c578e8552566f85c6924587c370d10d06a4d8dd |
| SHA256 | 3d16b171927526f7f16b7f05d16c3d783c015b1de03252f51cffa4aecd7648b8 |
| SHA512 | 468d77488f94dfb1198b5339848a71cd4d74132047dc0fa88188f3e0b16e99274a41baf8167d04d9241d49e10ce6a1870dcafe7e1e0b5b5082bd655e07405685 |
C:\Users\Admin\AppData\Local\Temp\IfIDeath.mp3
| MD5 | 7cb3e4c3fc26d1393707287b8d40f067 |
| SHA1 | d8a130712a2737eb5840e81b8d08b52102e670ef |
| SHA256 | 5d30f3b0a787caa9d85659c288db9ecd40e8fa1272bba30b162d61a8c7c5efec |
| SHA512 | 062a770d2aa8f6ea1b6c6cf4e8ca663aecd96dc66d93ada24e1b9557e298d62de317c61a4f5ebb4e458e7c2b6ac883fb2438797f1b0aff03807fb786934705d1 |
memory/224-17-0x00007FF725AF0000-0x00007FF725BE8000-memory.dmp
memory/224-18-0x00007FFD9EC70000-0x00007FFD9ECA4000-memory.dmp
memory/224-26-0x00007FFDA18E0000-0x00007FFDA18F1000-memory.dmp
memory/224-19-0x00007FFD9DB00000-0x00007FFD9DDB6000-memory.dmp
memory/224-25-0x00007FFDA1900000-0x00007FFDA191D000-memory.dmp
memory/224-27-0x00007FFD9D130000-0x00007FFD9D33B000-memory.dmp
memory/224-24-0x00007FFDA1920000-0x00007FFDA1931000-memory.dmp
memory/224-23-0x00007FFDA1940000-0x00007FFDA1957000-memory.dmp
memory/224-22-0x00007FFDA3850000-0x00007FFDA3861000-memory.dmp
memory/224-21-0x00007FFD9EF10000-0x00007FFD9EF27000-memory.dmp
memory/224-20-0x00007FFDA17B0000-0x00007FFDA17C8000-memory.dmp
memory/224-35-0x00007FFD9EBD0000-0x00007FFD9EBEB000-memory.dmp
memory/224-34-0x00007FFD9EBF0000-0x00007FFD9EC01000-memory.dmp
memory/224-33-0x00007FFD9EC10000-0x00007FFD9EC21000-memory.dmp
memory/224-32-0x00007FFD9EC30000-0x00007FFD9EC41000-memory.dmp
memory/224-31-0x00007FFD9EC50000-0x00007FFD9EC68000-memory.dmp
memory/224-30-0x00007FFD9EF40000-0x00007FFD9EF61000-memory.dmp
memory/224-29-0x00007FFDA1890000-0x00007FFDA18D1000-memory.dmp
memory/224-28-0x00007FFD8CF20000-0x00007FFD8DFD0000-memory.dmp
memory/224-47-0x00007FFD8CF20000-0x00007FFD8DFD0000-memory.dmp