9ccc070f6adaf5c96a0dd220bbe2accb7457b73669734101681404d05a38fb67

Resubmissions

02-03-2024 02:58

240302-dglhnshe93 10

Analysis

max time kernel
90s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.py
Size

42KB
MD5

83aed8c87af21cea45b01f4ac44db276
SHA1

885217547b66ab229e2f9a9e75237b5d86cac5d2
SHA256

9ccc070f6adaf5c96a0dd220bbe2accb7457b73669734101681404d05a38fb67
SHA512

ee5ba296ee5525dffb57b99a4c4a3b2981553ac4e70a97d23029ff5aa2aa8724e9d6e6edcc9eabdbb3b983a9cf14734dfa2e732e82f201313116154f22c46de0
SSDEEP

768:QWDAWR5nX5hjhOCSOHSFhf1PffpLCBzwjSqefgSmr4C8Pi7W/:QWkWR5nHjhFSJLR+2SmM+W/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3996	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3628	OpenWith.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe
3628	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3996	3628	OpenWith.exe	95
PID 3628 wrote to memory of 3996	3628	OpenWith.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Creal.py
1⤵
- Modifies registry class
PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Creal.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads