c94ecb268a02274d58417706b8ff0deddf21036a68c4ad692cdf43127905e541

Resubmissions

28-02-2024 03:00

240228-dhl6lahh24 10

28-02-2024 02:56

240228-dfe99shg73 10

28-02-2024 02:49

240228-dbbraahf62 10

28-02-2024 02:45

240228-c81k8shd8s 10

Analysis

max time kernel
91s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boobies.pyc
Size

29KB
MD5

e6b6c704fe4a55e2bd73ee2888e2bfb2
SHA1

77e532787b7b56321e405a710e9f63895020298f
SHA256

d1f80380fe99d7d9a052f145c6abc1b7ce844ec040f967bc4d120aa6ea4b1a1a
SHA512

91582b076bdd4976de8bd51b7c54397f25025f4b6668c33c58936a9c8d269afffb124fa74f6ef4f7354ef994b2f0f20fb27b0cc779d0b744fd77e56dc2034156
SSDEEP

768:3+lVSpnrWWk/4VDiiyAuoGyXzPBfIfTVRWSrdbHsJ1Kh7C5r:30StrWqG3KDBfI5RgKh7Qr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2384	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe
924	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2384	924	OpenWith.exe	105
PID 924 wrote to memory of 2384	924	OpenWith.exe	105

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Boobies.pyc
1⤵
- Modifies registry class
PID:820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Boobies.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads