Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 15:15
Behavioral task
behavioral1
Sample
virus2.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
virus2.pyc
Resource
win10v2004-20240412-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
virus2.pyc
-
Size
1KB
-
MD5
7d4d009be85e2a8b9ba178a8ad581be3
-
SHA1
dd1adc941d6a74cc65ba80237ad9926d5bd6e5df
-
SHA256
ec40a166d1f2403f2f51e6c5b1b54cbbbcdf113265d5f619f3b37d7f1a30f28d
-
SHA512
69c64cead78bca8d4b29d35705a6f241c54f56b4916113131887a48658da91b7c899357ebc6c9bb07c2bc60a519011f373770567ac0d2b6bf21f439bd048126c
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3064 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe 1016 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1016 wrote to memory of 3064 1016 OpenWith.exe NOTEPAD.EXE PID 1016 wrote to memory of 3064 1016 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\virus2.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\virus2.pyc2⤵
- Opens file in notepad (likely ransom note)