e39b67e2ed6826e7bae01d7584e94e7e5d44a092556d470699d788c8211bb54b

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 20:45

Target

main.pyw
Size

23KB
MD5

8436bae2b356bf1d59ab70af8bda8ed0
SHA1

2fca06bc6d2edb8d64253bb75e179a47701706a1
SHA256

e39b67e2ed6826e7bae01d7584e94e7e5d44a092556d470699d788c8211bb54b
SHA512

cd4f7e6f970420ce6bc313f7c9d10ba1b37bba03dd3892f0f3434310a1914bdbe315fdff279bb84da271a9c2b8e1249d24cfe206ea6cd944ff6cfcfa8c816e54
SSDEEP

384:jzXp3BAGhuQhrNwKb0mdb4C63OnGF90UcH:jzXthnNdb4C6+nGkUcH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 11 IoCs

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyw
1⤵
- Modifies registry class
PID:5084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact