86f965340a0bed9631922eef60fb357d0c8075508569db29d1e4f6d4672b83dd

Analysis

max time kernel
86s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19/02/2024, 20:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ddm_PHPSESSID.py
Size

1KB
MD5

01a4a671f4ef0f3542d23bc2061fc7e3
SHA1

65d4568d240a3a1c4ff9c5d9d0a3c733c31f6007
SHA256

86f965340a0bed9631922eef60fb357d0c8075508569db29d1e4f6d4672b83dd
SHA512

480a41c00f4f1278f9978b8b115ed70230fe7a7a7a997d7b741afea7d7da42543d963f6566fdb08b180248d6e357d4c685766926c1d273e5105738248b004d73

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3392	OpenWith.exe
1280	MiniSearchHost.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ddm_PHPSESSID.py
1⤵
- Modifies registry class
PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
d90e784a2a95fc1d2e2199b6a907fbc9

SHA1
7e6ec69e4d899a81113a0b623f55e71ffeedeff8

SHA256
558da8426d77dea2c0be69bcca9730a7eb96bf79020b2ecda5509e1756fe4f22

SHA512
761c2722b6d75ecf2fc928f04fe5464ff275c8f6bce07ad7a19ed0e2c1660639c89ec2e38055bae1b5093937cc1d88ea3a481a883a13ee3682d3970c1cd33dca

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
85c26754118ae9c45f2b0695d83d6cad

SHA1
a9fd6ba548758878a0b5c1e44bf87a45f5ce77df

SHA256
13f27ba5dae3b34f9bd088b07a51ae7a9403ab42e1883232ac82614e3b073683

SHA512
9690c2b8107871fd4d9ee876e9dcce0df5c981e630b8a105461df334074a41b3f6e0a01375dae55c8e8e4f9d49861e640351127f5e0918f8618ca046729523c4

Download Submit