bcfa9fc0b223c49baca3ac64ed6025355b07a67be93e482386a74748afa8e442

Resubmissions

07/03/2024, 09:34

240307-lj9bhsgc99 7

07/03/2024, 09:31

240307-lhafssgc68 7

07/03/2024, 09:29

240307-lf3dssgc37 7

Analysis

max time kernel
162s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EkexClient.exe.pyc
Size

69KB
MD5

2a4c573d98e6559ddc315dfc091a841a
SHA1

396ec4ae1c2845a867ddd3010db5da3be86c5740
SHA256

ad38b897bf067494c60d592e27b36d187691b66f8fb07639c6bc436f1838d775
SHA512

729096e3305421e02e3d4ddb2c2094c84bd38f264c01230bb9b127b4cf75de01bbaafb9dcf7a54d1b800521d5a59b70535ec9b6de2931a15999c71e1f3d00b54
SSDEEP

768:0+PS3Irw/gMxvCWUL8OsvPi3K2nFcWAXTxcPdCA79/GleK1AnjdRnrBI5y:0TIrYv+SNxjlJKpVrn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4304	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4304	NOTEPAD.EXE
4304	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4304	640	OpenWith.exe	95
PID 640 wrote to memory of 4304	640	OpenWith.exe	95

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\EkexClient.exe.pyc
1⤵
- Modifies registry class
PID:4780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\EkexClient.exe.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads