Analysis
-
max time kernel
451s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 20:17
Behavioral task
behavioral1
Sample
PAP46E1UkZ.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
14 signatures
600 seconds
Behavioral task
behavioral2
Sample
WindowsLibrary.pyc
Resource
win10v2004-20240419-en
windows10-2004-x64
5 signatures
600 seconds
General
-
Target
WindowsLibrary.pyc
-
Size
29KB
-
MD5
7b3f5e57516c8db5e6b96208fb77a61e
-
SHA1
eb77ed510e62ce35b3f292da2533d480000c1a38
-
SHA256
e33f3b2997d0710dbeeebad40c77fc21f58f61c6c21cebb8776f0069a0379ad3
-
SHA512
17820fced58e8e7e4ecc3912c871a42ce84a53e28b3d2bf8627a8184f773227c59fe062fc991db5608434fae10f69f9b1cf78322551feafcaf6c0513598b269a
-
SSDEEP
768:0wOR/Jt4/VZQUuS2JO0r8ZekDjpTXFDQSGx5JY2:0w0c/VCS247ekDJzGx5T
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4092 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
OpenWith.exepid process 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe 1636 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1636 wrote to memory of 4092 1636 OpenWith.exe NOTEPAD.EXE PID 1636 wrote to memory of 4092 1636 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\WindowsLibrary.pyc1⤵
- Modifies registry class
PID:660
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WindowsLibrary.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4092