Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 11:25
Static task
static1
Behavioral task
behavioral1
Sample
Untitled attachment 00022.eml
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Untitled attachment 00022.eml
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
details.txt
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
details.txt
Resource
win10v2004-20240226-en
General
-
Target
Untitled attachment 00022.eml
-
Size
8KB
-
MD5
9a7d40a2e24919697a51e712cb902b52
-
SHA1
5522bce74c8b383f72c982dd5ce35aca618ec19d
-
SHA256
2b57bdc14e2d4211ee67f756c6fad5b58f96997568780f9c2bfedcd16271a0e7
-
SHA512
b1747dc7870b8842e52938df370717c0ebed55401d6a94f5594aa78d6b65801a733855126b97c495319c140fdd824fcf80d99a5ff82e8e79818b0fe49269ba6f
-
SSDEEP
192:EzTftPyLiqQZSDWFJ5BTXmniG3DIuoCdqitVXUr8ui3:E9qLvQADwJ5tXjGzInCdqi3XU4D
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Untitled attachment 00022.eml:OECustomProperty cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4288 OpenWith.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3252 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe 4288 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4288 wrote to memory of 3252 4288 OpenWith.exe 101 PID 4288 wrote to memory of 3252 4288 OpenWith.exe 101
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Untitled attachment 00022.eml"1⤵
- Modifies registry class
- NTFS ADS
PID:4812
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Untitled attachment 00022.eml2⤵
- Suspicious use of FindShellTrayWindow
PID:3252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD59a7d40a2e24919697a51e712cb902b52
SHA15522bce74c8b383f72c982dd5ce35aca618ec19d
SHA2562b57bdc14e2d4211ee67f756c6fad5b58f96997568780f9c2bfedcd16271a0e7
SHA512b1747dc7870b8842e52938df370717c0ebed55401d6a94f5594aa78d6b65801a733855126b97c495319c140fdd824fcf80d99a5ff82e8e79818b0fe49269ba6f