Analysis
-
max time kernel
10s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
16-10-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
persisted_first_party_sets.json
Resource
win10-20240404-en
windows10-1703-x64
5 signatures
300 seconds
General
-
Target
persisted_first_party_sets.json
-
Size
2B
-
MD5
99914b932bd37a50b983c5e7c90ae93b
-
SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
-
SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
-
SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 808 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe 1048 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1048 wrote to memory of 808 1048 OpenWith.exe 75 PID 1048 wrote to memory of 808 1048 OpenWith.exe 75
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json1⤵
- Modifies registry class
PID:3816
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json2⤵
- Opens file in notepad (likely ransom note)
PID:808
-