2ac633521283d233a8478547cb6f8109c6f318a1b0c8e9f822833b5c74c12b39

Resubmissions

29-04-2024 20:17

240429-y222dabe42 8

29-04-2024 17:55

240429-whjdtagf93 8

Analysis

max time kernel
451s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsLibrary.pyc
Size

29KB
MD5

7b3f5e57516c8db5e6b96208fb77a61e
SHA1

eb77ed510e62ce35b3f292da2533d480000c1a38
SHA256

e33f3b2997d0710dbeeebad40c77fc21f58f61c6c21cebb8776f0069a0379ad3
SHA512

17820fced58e8e7e4ecc3912c871a42ce84a53e28b3d2bf8627a8184f773227c59fe062fc991db5608434fae10f69f9b1cf78322551feafcaf6c0513598b269a
SSDEEP

768:0wOR/Jt4/VZQUuS2JO0r8ZekDjpTXFDQSGx5JY2:0w0c/VCS247ekDJzGx5T

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

OpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4092 NOTEPAD.EXE

pid	process
4092	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

OpenWith.exe

pid	process
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe
1636	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	process	target process
PID 1636 wrote to memory of 4092	1636	OpenWith.exe	NOTEPAD.EXE
PID 1636 wrote to memory of 4092	1636	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WindowsLibrary.pyc
1⤵
- Modifies registry class
PID:660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WindowsLibrary.pyc
2⤵
- Opens file in notepad (likely ransom note)
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads