Analysis
-
max time kernel
51s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 12:00
Behavioral task
behavioral1
Sample
mass_report_script.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
mass_report_script.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240508-en
General
-
Target
Stub.pyc
-
Size
876KB
-
MD5
9fbdec4dae910fe824e2a687cd880232
-
SHA1
8b462b769e74de90f8b4a4eeef434fbf9e552b71
-
SHA256
d1f14d6147531a91456f7a849b3c05f83ce2df8d5f49e464eb2ab29f243431d3
-
SHA512
008522d8fb9400d2aae32c6e3bb43eb3163ef3e2344b2b5cc1c8e5659cf5ba3d2d7c7b3012f7939efba5b9e103206062dc18a5f872398a3148c3e1f6d553a41c
-
SSDEEP
12288:L4qEsMM56G0XODlk09mDEpIUdJq+gh/1yKLGUt/zjjIpstn5eqSUcKExqo0Bpn:8qfwEDl79mDKwh/1yUtUpsbjzXn
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4608 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 224 OpenWith.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
OpenWith.exepid process 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 224 wrote to memory of 4608 224 OpenWith.exe NOTEPAD.EXE PID 224 wrote to memory of 4608 224 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Stub.pyc2⤵
- Opens file in notepad (likely ransom note)