Malware Analysis Report

2024-10-10 07:33

Sample ID 240615-vx1qzaycqd
Target Bruh.zip
SHA256 a4139a81c930ee6ae44004f4a5cfbe2e01561a21f1b24675829490db1239abed
Tags
evasion
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

a4139a81c930ee6ae44004f4a5cfbe2e01561a21f1b24675829490db1239abed

Threat Level: Likely benign

The file Bruh.zip was found to be: Likely benign.

Malicious Activity Summary

evasion

Resource Forking

Unsigned PE

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:28

Platform

win10v2004-20240611-en

Max time kernel

300s

Max time network

271s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:28

Platform

macos-20240611-en

Max time kernel

263s

Max time network

285s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Bruh/here.txt"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Bruh/here.txt"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Bruh/here.txt"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Bruh/here.txt]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/zsh

[/bin/zsh -c /Users/run/Bruh/here.txt]

/Users/run/Bruh/here.txt

[/Users/run/Bruh/here.txt]

/bin/sh

[sh /Users/run/Bruh/here.txt]

/bin/bash

[sh /Users/run/Bruh/here.txt]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.129:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
GB 17.253.77.202:80 valid.apple.com tcp
GB 17.253.77.202:80 valid.apple.com tcp
GB 17.253.77.202:80 valid.apple.com tcp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.13:443 mobile.events.data.trafficmanager.net tcp
AU 40.79.173.40:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 184.30.157.247:443 help.apple.com tcp
US 184.30.157.247:443 help.apple.com tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.29.214:443 gsp-ssl.ls.apple.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 50e07abef86d4a0776feb952d0800e34
SHA1 91d17a599f6e1af6c64993ab85afcf20d70344e1
SHA256 5d9aedaa776f07c835e19b00483f7b0e5e31ffb5b0b3ca95b2a4b120f06e487a
SHA512 1492d435dac4bc5ab3395c8453a56e240b9d33a73eaa8040bfa8b542ab94432c6b1f41f9858020c693b936173edd44474537640acff344ac38a660eef1a3b8d8

/Users/run/Library/Cookies/HSTS.plist

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 9a638cbe5d0f49c1f5cea35c4c4ff069
SHA1 c01301d4ba4dd122cd40c2455890420833a1ebd1
SHA256 862aae83467f810b2f496060de825102769001652405fde136ce4a09b2d84a4c
SHA512 c2c2d2dba2cd5b7a35f1f998e9a9a1b3960e5d82dc5b11ad01500828435f81496a323abf8510b2c0228306036a7e8d12c6b066f2f5dd7a76061adaed47dd01f3

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:28

Platform

win7-20240508-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe

"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"

Network

N/A

Files

memory/2044-0-0x000000007491E000-0x000000007491F000-memory.dmp

memory/2044-1-0x00000000009F0000-0x0000000000C58000-memory.dmp

memory/2044-2-0x0000000000200000-0x0000000000214000-memory.dmp

memory/2044-3-0x00000000003C0000-0x00000000003DA000-memory.dmp

memory/2044-4-0x00000000005A0000-0x00000000005D4000-memory.dmp

memory/2044-5-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2044-6-0x00000000050E0000-0x0000000005256000-memory.dmp

memory/2044-7-0x0000000000650000-0x0000000000682000-memory.dmp

memory/2044-9-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2044-8-0x0000000002290000-0x000000000229E000-memory.dmp

memory/2044-10-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2044-11-0x000000007491E000-0x000000007491F000-memory.dmp

memory/2044-12-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2044-13-0x0000000074910000-0x0000000074FFE000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:28

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe

"C:\Users\Admin\AppData\Local\Temp\Bruh\honeypot.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4228-0-0x000000007532E000-0x000000007532F000-memory.dmp

memory/4228-1-0x0000000000BB0000-0x0000000000E18000-memory.dmp

memory/4228-2-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/4228-3-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/4228-4-0x0000000005800000-0x0000000005814000-memory.dmp

memory/4228-6-0x0000000005900000-0x0000000005934000-memory.dmp

memory/4228-5-0x00000000058E0000-0x00000000058FA000-memory.dmp

memory/4228-7-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4228-8-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

memory/4228-9-0x0000000005AC0000-0x0000000005C36000-memory.dmp

memory/4228-10-0x0000000005DC0000-0x0000000005DF2000-memory.dmp

memory/4228-11-0x00000000075D0000-0x000000000766C000-memory.dmp

memory/4228-12-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4228-13-0x0000000007190000-0x000000000719E000-memory.dmp

memory/4228-14-0x000000007532E000-0x000000007532F000-memory.dmp

memory/4228-15-0x0000000075320000-0x0000000075AD0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:28

Platform

macos-20240611-en

Max time kernel

222s

Max time network

267s

Command Line

[xpcproxy com.apple.bsd.dirhelper]

Signatures

N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.bsd.dirhelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.logkextloadsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.var-db-dslocal-backup]

/usr/bin/xar

[/usr/bin/xar -c -f dslocal-backup.xar dslocal]

/usr/libexec/xpcproxy

[xpcproxy com.apple.gkreport]

/usr/libexec/gkreport

[/usr/libexec/gkreport]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemstats.daily]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/libexec/xpcproxy

[xpcproxy com.apple.csrutil.report]

/usr/bin/csrutil

[/usr/bin/csrutil report]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Bruh/honeypot.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Bruh/honeypot.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Bruh/honeypot.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Bruh/honeypot.exe]

/Users/run/Bruh/honeypot.exe

[/Users/run/Bruh/honeypot.exe]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 52.182.143.213:443 tcp
GB 17.250.81.65:443 tcp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.59.171.27:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 52.182.143.215:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 184.30.157.247:443 help.apple.com tcp
US 184.30.157.247:443 help.apple.com tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.37.213:443 gsp-ssl.ls.apple.com tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/loadedkextmt.plist

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 ad188f106309a54101397a88c1bb529b
SHA1 a5ed08ddc3679c8655b3200da79af7a3c3579ab4
SHA256 63cf3bbfae292c429a7f7944d77973f3320c85f05bc7bfe48f0049fd8d2bea5a
SHA512 75919f510c372f58a6a2cb656a9e041759fb1fe8d6fdf38fc3cc6044bc28e55e937821740d630ed71dd1b081bdea3fef13d6a48673335a5227199ab124bf7cbc

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 cafc1e06538577107a9846c2dda21be6
SHA1 73bccc81554072d80452332c1d05e2d55ebd32ea
SHA256 717690761fd9623a00145bb41fc70dae049fbaf36702550322e6eefe67e76417
SHA512 91c1376b1da04b8392929a33fa1eae0d0f3661dc84edfc1a9ed83b797d03141fb9d32eec21a6550215634fe5367f8791c28ee253ff3d2cc181cc506bcfcdde93

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 22c1336cce88205b0017bcdd303a657e
SHA1 d874d6f10524856d773acbce0f605e1d9c8bf03c
SHA256 35052c4dda8451478feaf69a9610c54ea6ccd3095c70cd8e981aedba470cb2d1
SHA512 8db2cb35932230381546dd7514d18006cd460f055c5050fc6545ba2d0202bab2c77910d485ecb6744c7475a7f1cd88023f8a2bcfceab3d59e98630f787eed2fc

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 17:22

Reported

2024-06-15 17:24

Platform

win7-20240611-en

Max time kernel

30s

Max time network

19s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Bruh\here.txt

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

N/A