Analysis
-
max time kernel
114s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 17:59
Static task
static1
Behavioral task
behavioral1
Sample
dfa checker beta test.rar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dfa checker beta test.rar
Resource
win10v2004-20240709-en
General
-
Target
dfa checker beta test.rar
-
Size
376KB
-
MD5
2f8eee61f81b562b9bf975ee0bda706e
-
SHA1
f739a8f38ff33aaf8652e8b5dad296c8111074fe
-
SHA256
e3325199c2bb2c7a83fb397f95a837bb3a5641d5d71f9785b22321e260ae09db
-
SHA512
217f2344117a728ef009e4efa712856d8e0f26551991ec7e767f14304f2c2f7c1dcaa957926a6a96268a8ed36eb2a7bc415be382c9590bbcf35a6a0eea597c58
-
SSDEEP
6144:XYQj2EzpYBjC2rx+RqXYbe6Vhw3H9mFqwK7zNQuzTEP8eSpwB7Wnq8:orEzpYoNsYbzVhw3HIFqwgZwPvMwhWnR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2532 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 vlc.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe 2532 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2532 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2944 1712 cmd.exe 32 PID 1712 wrote to memory of 2944 1712 cmd.exe 32 PID 1712 wrote to memory of 2944 1712 cmd.exe 32 PID 2944 wrote to memory of 2696 2944 rundll32.exe 33 PID 2944 wrote to memory of 2696 2944 rundll32.exe 33 PID 2944 wrote to memory of 2696 2944 rundll32.exe 33 PID 2696 wrote to memory of 2532 2696 rundll32.exe 35 PID 2696 wrote to memory of 2532 2696 rundll32.exe 35 PID 2696 wrote to memory of 2532 2696 rundll32.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103B
MD568dda32d6af3f2d567054d29dbb8efbd
SHA19f905ce16afa295c37ebf47df7b339b87ddfa354
SHA25692b2342d8738dc6f9987b6691a1cdadda51b0e022113039f0024f84fd8f61e4c
SHA5122639e4a4576b80a3ae8f3a78c8f8f392e5376271f34609829827aed28e97948eb46712067ba0724f9f9a840077d81eb0e67d025976d68fb59e2cb1e4a3531ac3
-
Filesize
18B
MD598e27c03548a0eabeae5607420d8bff9
SHA18082bae775983521fb41ea4c1b9b6ea28ec07e94
SHA256d853a549a89014d54e60d9785be5588f070d63ba8af6f8538810f75f661506a5
SHA512ae2e2505dd1c1a87a68bb442a6367d1bd85a8ebff2b55157255eeda786243695d20c48d9053e6a852f0eb9d9f5921c191b7068a818854293ce8b7edc45f5bbb3