12c168aed059a8a916b002d184c26825f4934f6e5d9f8cdd0a0ac46b8d3c85ba

Resubmissions

28-04-2024 17:10

240428-vp2nascg6x 7

28-04-2024 17:07

240428-vne3xace45 7

Analysis

max time kernel
66s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cstealer.pyc
Size

39KB
MD5

8c90ffe525d980a3115be90a6a275a2d
SHA1

8bab4eec2c508a8735bb218affbf0e83f8bd9cb7
SHA256

450a0bdf0c033773d23c4e163ce7022addd8a7650e14e8371d3c4b832ece2b79
SHA512

29f5615b0eb37756b57052f9efa296d6543a654ebe84d88dd529df9c45358312edae916378b04a4852218fde7395141ba314c1aa408029edeea43f6af4a7586f
SSDEEP

768:fu46JcMk17WnMGF+5JsylM3jprKBBbxoZUM4PqVfqrY9Wygqxie3HrKl4HYiBeHP:FgdkW0JsyC3F6OUM6qVirY9WygWiMujP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4580 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2172 OpenWith.exe

pid	process
4580	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exe

pid	process
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe
2172	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	process	target process
PID 2172 wrote to memory of 4580	2172	OpenWith.exe	NOTEPAD.EXE
PID 2172 wrote to memory of 4580	2172	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc
1⤵
- Modifies registry class
PID:3380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cstealer.pyc
2⤵
- Opens file in notepad (likely ransom note)
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads