37e75479a1f81340df1523f38b37926b2376ec00972223e1087e56a5c73ba5d0

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2023 01:27

Target

thorse/paygen.py
Size

17KB
MD5

d8c91b59a576518a85c1105a23d5f8a5
SHA1

dfc79f7719e888e69100afbb2899ed689e5392af
SHA256

071685fc48b14d675bb0eb66a8d89d58d03af97e72cef163b05deac24537de4d
SHA512

60bc65d2d0b31a49fa9ce921be9534cb4ffeabc72990aa520258eccc62ef6a14a256dff05200ec2a4ab844f0e6abd458ec19efadb11ae2aea3b24c1741450c4b
SSDEEP

192:tR3jzDTGlD8ujBusfL4qki7U6UaEDbEYZo8lBv2T3hc6LgCjflBA2ohKRbDee7P2:DjLs02UaYgYZoKChl6raDpzcwZQ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4732 OpenWith.exe

pid	process
4732	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\thorse\paygen.py
1⤵
- Modifies registry class
PID:4004

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact