1d0e737509249f21cc3d3760d06c7c06595ff1d07cc8311941d64927b80a256f

Analysis

max time kernel
132s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.pyc
Size

7KB
MD5

d99e6d77d16c80995d47ebb7074494ae
SHA1

9c2de47ea9ac750b857f30c7c749242e4d87bd3a
SHA256

ba4f13b093e7fa8896676cdadb78b4f4c8c0bd798138ea6655de8e9601db5408
SHA512

298be58985927e08a637ec8043688b476362b5497fbf2ede7f9d337daed3ef3bd29caa1c75e81241dc0144bdcf54920cd27e6d1d75d740ffa1137e1952dc5564
SSDEEP

192:wccRPnDD8M7jWdXwVoHVPBk6JJhwCEPt7Mdws+nw:QH/WuVysO2vhPfw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\.pyc	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\.pyc\ = "pyc_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4588	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5280	OpenWith.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5280 wrote to memory of 4588	5280	OpenWith.exe	99
PID 5280 wrote to memory of 4588	5280	OpenWith.exe	99

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
1⤵
- Modifies registry class
PID:4092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...