Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-04-2024 19:43
Behavioral task
behavioral1
Sample
Black Myth Wukong 64-bit.exe
Resource
win10-20240404-en
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
BSR.pyc
Resource
win10-20240404-en
6 signatures
150 seconds
General
-
Target
BSR.pyc
-
Size
10.5MB
-
MD5
7a0e5fbbbaf82bbf0be66c5761dfbe7c
-
SHA1
b837618235d17c2fee6a02f0d3eadedc8d25d549
-
SHA256
ee4cac072df122d13ec3dfbdb1fe276a9d0193fec3b6552088eead067e36cca8
-
SHA512
644e36d6e7d043386c78aca405dcd208d283525743cb3509c1e292875ec877e32cee792aacc107ddee1b11dcfa480319299e084d3150bb169a63a24cef4003bb
-
SSDEEP
24:SfLFtLyxnSanyXUSanyXndzmiCCHBSanyHcXRSany+SanykSanyMo3SanyS9wSau:SfL72iCDkRZW7PvWWbrs8r
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENotepad.exepid process 2044 NOTEPAD.EXE 3348 Notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4596 OpenWith.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
OpenWith.exepid process 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4596 wrote to memory of 2044 4596 OpenWith.exe NOTEPAD.EXE PID 4596 wrote to memory of 2044 4596 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BSR.pyc1⤵
- Modifies registry class
PID:1448
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BSR.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:2044
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\DisconnectConvertFrom.vbe1⤵
- Opens file in notepad (likely ransom note)
PID:3348