bcfa9fc0b223c49baca3ac64ed6025355b07a67be93e482386a74748afa8e442

Resubmissions

07/03/2024, 09:34

240307-lj9bhsgc99 7

07/03/2024, 09:31

240307-lhafssgc68 7

07/03/2024, 09:29

240307-lf3dssgc37 7

Analysis

max time kernel
85s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EkexClient.exe.pyc
Size

69KB
MD5

2a4c573d98e6559ddc315dfc091a841a
SHA1

396ec4ae1c2845a867ddd3010db5da3be86c5740
SHA256

ad38b897bf067494c60d592e27b36d187691b66f8fb07639c6bc436f1838d775
SHA512

729096e3305421e02e3d4ddb2c2094c84bd38f264c01230bb9b127b4cf75de01bbaafb9dcf7a54d1b800521d5a59b70535ec9b6de2931a15999c71e1f3d00b54
SSDEEP

768:0+PS3Irw/gMxvCWUL8OsvPi3K2nFcWAXTxcPdCA79/GleK1AnjdRnrBI5y:0TIrYv+SNxjlJKpVrn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3608	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	OpenWith.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3608	2640	OpenWith.exe	103
PID 2640 wrote to memory of 3608	2640	OpenWith.exe	103

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\EkexClient.exe.pyc
1⤵
- Modifies registry class
PID:2136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\EkexClient.exe.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...