8961a072653b1d55d28a855a76d9c886a8a17c6826bceda551480e6d41fde776

Analysis

max time kernel
118s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09/09/2022, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dlay.py
Size

6KB
MD5

371029310c9704a1c6fa8fc24f98d68f
SHA1

d34af20581b4cc0040b7fefbe9afda996373713e
SHA256

8961a072653b1d55d28a855a76d9c886a8a17c6826bceda551480e6d41fde776
SHA512

b49b00465de66c9116d3ae7641066bc094c15e0a38ad5d52c85c91ff5395e9357de8e887c14a989778c7119c00453ba7721c8ee7719480bab637c25631adf74f
SSDEEP

96:guJIFXAuEPEE6XbHt22e81nsI7QFr1b7xdJj/S7e72:ftH6XbNBR1v7QFrBp/ke72

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1740	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1740	1376	cmd.exe	27
PID 1376 wrote to memory of 1740	1376	cmd.exe	27
PID 1376 wrote to memory of 1740	1376	cmd.exe	27

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0dlay.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\0dlay.py
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download