Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 21:57
Behavioral task
behavioral1
Sample
garbage.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
garbage.pyc
Resource
win10v2004-20240412-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
garbage.pyc
-
Size
11KB
-
MD5
04ea7e213644470e0e3bef78d059ff78
-
SHA1
00d379ff76691aeb5f9f2dc7ad8eb5dd3c4feb67
-
SHA256
ece56ba7108441c8842e7927b4f344c2c0e53812541c8079c458ca3e11c9f2a3
-
SHA512
b91bd14c66d28d87b1a12ebfd91f9a400507d70c907d21e664647b235feaaba5f5f52ea86399fd42857507c21d4df44b58d6a1157b6cf54e660ed2c3d51b00a5
-
SSDEEP
192:/oEV2Kq1G5Ee1JCqf00Yn3LfupkImXpRzVDyJkI9wzFX:/bq1cE2LM0Y3Lupk3RpOJkI9o
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2660 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
OpenWith.exepid process 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4888 wrote to memory of 2660 4888 OpenWith.exe NOTEPAD.EXE PID 4888 wrote to memory of 2660 4888 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\garbage.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\garbage.pyc2⤵
- Opens file in notepad (likely ransom note)