Analysis
-
max time kernel
83s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-01-2023 12:58
Static task
static1
Behavioral task
behavioral1
Sample
python2.py
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
python2.py
Resource
win10v2004-20220901-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
python2.py
-
Size
106KB
-
MD5
a5725177295201568f8c0b2e2994bb70
-
SHA1
04062bb336c1b674b95138c82c00fc2cfb5cabb4
-
SHA256
523c05a8499f13f10cc20c00fbe6c143bfa647f36b5915ccd5276a99081d7a07
-
SHA512
25f8eee164195cf1282a9a9f22433d94b43cd6d20c3de5e1cfc5f36825e2b28e2670cc60cdb96f9f950672df1692c9b31b08e89ad9d979eb93ef16368104174b
-
SSDEEP
3072:+KUZBGdcRLp9QYCRJhxovM3EdN6NXHwD5d4ENuFqzP6H8qMG4:+K9cD4JbEd0tGdnNuA634
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 432 rundll32.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe 432 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1272 wrote to memory of 432 1272 cmd.exe 28 PID 1272 wrote to memory of 432 1272 cmd.exe 28 PID 1272 wrote to memory of 432 1272 cmd.exe 28
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\python2.py1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\python2.py2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:432
-