Analysis
-
max time kernel
101s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:17
Behavioral task
behavioral1
Sample
spoofer.exe
Resource
win10v2004-20240508-en
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
creal.pyc
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
creal.pyc
-
Size
64KB
-
MD5
d8cd9403e6a921255a8445ff764c5462
-
SHA1
ffb521167871584ede34ad1d58d4c271fe7d2efc
-
SHA256
1bb6a413a556047809939bffaacb98796d1f94645d7341d8afe4bb0262e3f0bc
-
SHA512
81c714a00e5d89aec7da216181b25ca7d71e606792e8aa18af837c083c070d40f42843ef2ede8a214a26840be60c90b292770a1c56f3fdbc6276d2d7217a467f
-
SSDEEP
1536:7Tr7e+0Ql9pObo8BHWftXASFW08VgeOR2es:7TLYbo8B2VXASNMgeORk
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1576 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3508 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe 3508 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3508 wrote to memory of 1576 3508 OpenWith.exe 86 PID 3508 wrote to memory of 1576 3508 OpenWith.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc1⤵
- Modifies registry class
PID:3536
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\creal.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:1576
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:400