Analysis
-
max time kernel
179s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:41
Behavioral task
behavioral1
Sample
creal.pyc
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
creal.pyc
-
Size
64KB
-
MD5
d8cd9403e6a921255a8445ff764c5462
-
SHA1
ffb521167871584ede34ad1d58d4c271fe7d2efc
-
SHA256
1bb6a413a556047809939bffaacb98796d1f94645d7341d8afe4bb0262e3f0bc
-
SHA512
81c714a00e5d89aec7da216181b25ca7d71e606792e8aa18af837c083c070d40f42843ef2ede8a214a26840be60c90b292770a1c56f3fdbc6276d2d7217a467f
-
SSDEEP
1536:7Tr7e+0Ql9pObo8BHWftXASFW08VgeOR2es:7TLYbo8B2VXASNMgeORk
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4316 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2364 OpenWith.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe 2364 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2364 wrote to memory of 4316 2364 OpenWith.exe 85 PID 2364 wrote to memory of 4316 2364 OpenWith.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc1⤵
- Modifies registry class
PID:420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\creal.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4316
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:5012