8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af

Resubmissions

16/03/2024, 10:53

240316-myz7tshe7v 3

15/03/2024, 19:31

15/03/2024, 19:28

15/03/2024, 19:28

06/07/2023, 15:09

Analysis

max time kernel
133s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.py
Size

78KB
MD5

9da6a8e9d56d6ef316d51352c81236ed
SHA1

c619fa0ef314de17b76fbdeee76bbd97e04f7b46
SHA256

8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af
SHA512

defd367d31326719f7b68387506973d12a1bd5340ec0517882c3634c1cf8c53e1867d6857b30c17388b014a2ca10a2f8036276d33ba99bd117aefcffa52fcb31
SSDEEP

1536:5NGZS2C+WUuj70wAXvbpwpY+w00M6llsuKvlx+4Roh0f:5NGZS2C+WUuj70wAXvbpwnw0iGuKvOe

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4940	OpenWith.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe
4940	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2248	2136	cmd.exe	114
PID 2136 wrote to memory of 2248	2136	cmd.exe	114

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\installer.py
1⤵
- Modifies registry class
PID:3188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\curl.exe
  curl bashupload.com -T installer.py
  2⤵
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...