ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

Resubmissions

02-02-2025 11:43

250202-nvkteazmew 10

02-02-2025 11:42

250202-ntzaeaskgj 10

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware.WannaCry_Plus.zip
Size

2.3MB
MD5

5641d280a62b66943bf2d05a72a972c7
SHA1

c857f1162c316a25eeff6116e249a97b59538585
SHA256

ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488
SHA512

0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752
SSDEEP

49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2636	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
816	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	mmc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	2692	mmc.exe
Token: SeIncBasePriorityPrivilege	2692	mmc.exe
Token: 33	380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	380	AUDIODG.EXE
Token: 33	380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	380	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	mmc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2692	mmc.exe
2692	mmc.exe
816	vlc.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCry_Plus.zip
1⤵
PID:2852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartStop.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2636

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x000007FEF4CE0000-0x000007FEF4D1A000-memory.dmp

Filesize
232KB

Download
memory/2692-2-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download