Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 05:00
Behavioral task
behavioral1
Sample
Decompiler/Decompiler.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Decompiler/Decompiler.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
idkk.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
idkk.pyc
Resource
win10v2004-20240508-en
General
-
Target
idkk.pyc
-
Size
5KB
-
MD5
f4b3c42dcbc5b1b52fd6427ae284f874
-
SHA1
51448cf4826c119bc088b66d0817aa013a1e9553
-
SHA256
9248786936d0d3b6746c41853607199e5bb773afb6478c518a475e0a5dfa3a96
-
SHA512
b536725135028af1cc02089fffef3061c48b0280a5fc812154b4ee650b514a9ae164c92141096bb9c1c10ae3dd98a033d801d2b6e4fec0f9a913dae25a8b4ca7
-
SSDEEP
96:tFfE7TEUHonjpbj3XrCRb1TiQXVUPIIJy4oq4XYPutTDYKjy51H:tFqSnjpbj3XrCRb1TiQXYHJy4oq4XY20
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe 2588 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2588 2384 cmd.exe 29 PID 2384 wrote to memory of 2588 2384 cmd.exe 29 PID 2384 wrote to memory of 2588 2384 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\idkk.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\idkk.pyc2⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2588
-