Analysis
-
max time kernel
10s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
index.php
Resource
win7-20240729-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
index.php
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
index.php
-
Size
1B
-
MD5
7215ee9c7d9dc229d2921a40e899ec5f
-
SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6
-
SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
-
SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4908 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
OpenWith.exepid process 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe 4880 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4880 wrote to memory of 4908 4880 OpenWith.exe NOTEPAD.EXE PID 4880 wrote to memory of 4908 4880 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\index.php1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\index.php2⤵
- Opens file in notepad (likely ransom note)