Overview

overview

3

Static

static

1

archive.rar

windows10-2004-x64

3

Resubmissions

22/07/2024, 06:49

240722-hltgastenn 1

20/07/2024, 22:09

240720-12vcmsxfkc 10

20/07/2024, 22:06

240720-1z7j7ayhmq 3

20/07/2024, 22:05

240720-1zhaasyhln 3

20/07/2024, 22:03

240720-1ygmdaygrp 3

20/07/2024, 21:59

240720-1wg55aygml 3

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    archive.rar

  • Size

    11.5MB

  • MD5

    691e3e042f77f3ca8b5344829029b272

  • SHA1

    43f3a009a7bd9ce972be8992151240cda02eb598

  • SHA256

    21a27ad9d564f6af8aa67437023baac60d5bad9316fac18dbace5af1ab85ec1f

  • SHA512

    2917da919add222f47b69a5e93e62872e422d74e7308edd556e0e1084234a6545a8018852ece5bc15eb96c54a5a43371b1008cdb0157430d52a2ee6a0f6f27c7

  • SSDEEP

    196608:1DOWMSWGX0Kb4zmkV0kPVhr6TmGeWgJazOarKlqlHSDWrVeL31DWmmvQP4ld:5OG5Bb4zlHPVheePayOesHU2VamvG4ld

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 45 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\archive.rar
    1⤵
    • Modifies registry class
    PID:3676
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\archive.rar
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads