3dc873cdae664feb38f1053c8c887ebe9978bf79fbce9832320754a600c54116

Analysis

max time kernel
111s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

russian rulet.py
Size

109B
MD5

34ba829a1aa314d39ef3664b66fae893
SHA1

598b5a30da7218d74875fb9c786896d8b5d75379
SHA256

3dc873cdae664feb38f1053c8c887ebe9978bf79fbce9832320754a600c54116
SHA512

18fcb45babd2f777823998fc91ef60699ad562d36517f3a8b14c12b440f7def90156c04dce78caf1987fd6b096f4b5ae686a0853913ab323e7d91aa3a9c2701d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "5"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1908	explorer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
632	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	explorer.exe
Token: SeCreatePagefilePrivilege	1908	explorer.exe
Token: SeDebugPrivilege	1636	taskmgr.exe
Token: SeSystemProfilePrivilege	1636	taskmgr.exe
Token: SeCreateGlobalPrivilege	1636	taskmgr.exe
Token: 33	1636	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1636	taskmgr.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1908	explorer.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe
632	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\russian rulet.py"
1⤵
- Modifies registry class
PID:912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4132

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1908

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-0-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-2-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-6-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-7-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-8-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-9-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-10-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-11-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download
memory/1636-12-0x000001713B050000-0x000001713B051000-memory.dmp

Filesize
4KB

Download