Malware Analysis Report

2025-05-05 21:31

Sample ID 240529-rkqhpaha5w
Target BombPartyUltra.rar
SHA256 ce19948b92ec306cfc8ca14d7aa939ce3dd83faee7c9cb108e3fe4e0c51f4d97
Tags
execution pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ce19948b92ec306cfc8ca14d7aa939ce3dd83faee7c9cb108e3fe4e0c51f4d97

Threat Level: Likely malicious

The file BombPartyUltra.rar was found to be: Likely malicious.

Malicious Activity Summary

execution pyinstaller

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 14:15

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ZInstallPython.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4388 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4676 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4676 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ZInstallPython.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.python.org udp
GB 151.101.60.223:443 www.python.org tcp
US 8.8.8.8:53 223.60.101.151.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

memory/2580-4-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

memory/2580-5-0x000002B37F3C0000-0x000002B37F3E2000-memory.dmp

memory/2580-7-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2580-9-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2580-10-0x000002B37F570000-0x000002B37F5E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zq055xd4.vwn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2580-25-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2580-36-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

133s

Max time network

145s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BombPartyUltra.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BombPartyUltra.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

127s

Max time network

135s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ARunALL.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5116 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ARunALL.bat"

C:\Windows\system32\mode.com

mode con: cols=185 lines=30

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe

"C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe"

C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe

"C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI40922\ucrtbase.dll

MD5 546793941ac1152500894daff0fd337a
SHA1 ede8a5040b5e7e445e7c048aead30bf098168108
SHA256 1aea16f206069eec06cac4cf4492f2312ef9c8e3fb8b28f188e8433268cd9892
SHA512 ea25f22c75b344c82891a804e1a46b356848304d33a32bb4fb97bbf9959fcadea360e15467cd188f9fbea3059339a20f5787e12059dfbccc2c9e17cd8b93d55b

C:\Users\Admin\AppData\Local\Temp\_MEI40922\python310.dll

MD5 a1185bef38fdba5e3fe6a71f93a9d142
SHA1 e2b40f5e518ad000002b239a84c153fdc35df4eb
SHA256 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e
SHA512 cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

C:\Users\Admin\AppData\Local\Temp\_MEI40922\VCRUNTIME140.dll

MD5 a87575e7cf8967e481241f13940ee4f7
SHA1 879098b8a353a39e16c79e6479195d43ce98629e
SHA256 ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512 e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

C:\Users\Admin\AppData\Local\Temp\_MEI40922\base_library.zip

MD5 4c03caa79c462b5df082efde831684fd
SHA1 7ca43faee8c8cfa6027f30f5f732a12a2557e59a
SHA256 ccf72c5a640a54e84c4a5c3dfb242b2998203b57c79bf051d18860a57dc53592
SHA512 d5f6b3ee869cbb9a35ce6949e4a540e7e3c8baa4de10c641be4c923aba680b75d055ec3d7eced3593128e6cc1d969fe3171e1640ea66e0d5031a8b9a47c3b25d

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd

MD5 92276f41ff9c856f4dbfa6508614e96c
SHA1 5bc8c3555e3407a3c78385ff2657de3dec55988e
SHA256 9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850
SHA512 9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd

MD5 c5378bac8c03d7ef46305ee8394560f5
SHA1 2aa7bc90c0ec4d21113b8aa6709569d59fadd329
SHA256 130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9
SHA512 1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd

MD5 63ede3c60ee921074647ec0278e6aa45
SHA1 a02c42d3849ad8c03ce60f2fd1797b1901441f26
SHA256 cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5
SHA512 d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd

MD5 a1fbcfbd82de566a6c99d1a7ab2d8a69
SHA1 3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76
SHA256 0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095
SHA512 55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd

MD5 a6bee109071bbcf24e4d82498d376f82
SHA1 1babacdfaa60e39e21602908047219d111ed8657
SHA256 ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f
SHA512 8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

C:\Users\Admin\AppData\Local\Temp\_MEI40922\pyexpat.pyd

MD5 8b9855e1b442b22984dc07a8c6d9d2ed
SHA1 2e708fbf1344731bca3c603763e409190c019d7f
SHA256 4d0f50757a4d9abe249bd7ebea35243d4897911a72de213ddb6c6945fef49e06
SHA512 59ca1cbc51a0b9857e921e769587b021bc3f157d8680bb8f7d7f99deb90405db92051e9be8891399379d918afc5d8cb36123297d748c5265ae0855613b277809

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_queue.pyd

MD5 8dd33fe76645636520c5d976b8a2b6fc
SHA1 12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7
SHA256 8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595
SHA512 e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

C:\Users\Admin\AppData\Local\Temp\_MEI40922\pywintypes310.dll

MD5 bd1ee0e25a364323faa252eee25081b5
SHA1 7dea28e7588142d395f6b8d61c8b46104ff9f090
SHA256 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814
SHA512 d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-128.png

MD5 796dfbef2d897b6749f214a43edd9315
SHA1 91f0e313abfb49bcda915d712969eaf2e462f538
SHA256 b11d23e098104f77089e859cc97a7fb52341e05ad6871e8be9994e188cb2f556
SHA512 b70c0f51017ad3e115b926db2c2d11e12adb966597fdd305e5fe4869bf6768a55e24ddf7df4ca34cab48cadc38e627cb1e6303a2e8544b32b8af0b30c698fb6c

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-16.png

MD5 1f781089a713189bc96d3ef05fee457f
SHA1 3fafc09a1d89aa250acaf34df8fbe13afd851491
SHA256 52ef10fc7d1adeea6a21d82d9ab168a354c01f0a2e5efe3eff61b378ca7ad730
SHA512 f8712a7d47bce4cf36fa94528dd29806cb524e74817e01abb7515a985a82e2f5c8e778c94a3341fe631e3d6102ff25aaed585c4b420f3bfcfdc41814a73e779e

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-24.png

MD5 d8edd4e2248bc3310291af735e514fcd
SHA1 54ca3472f3324eea4f700506cc1aeade65cd3502
SHA256 d52b8f3a73bfec3f5c345f010a9fc25d9f74900d7cd4b54912cf82bd08fadffd
SHA512 8cfe735fb6d45423566b09be56b0d29a84d30074bd8d3112a26e157ce8aaa92e5edd7daa95b4ad366c6b65658081e5c9192b36afa6932f3fb065c1734e736962

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-256.png

MD5 9f78f7a154400fcdee139d789ff50e33
SHA1 eb2c602986a27c57642eef320ff54246d78e8b5e
SHA256 3ca68b695733667aa883ba920f70e1a20ecaa6f0feaffff4e2d82c96c8745f5b
SHA512 00b18c8fb96f23b70ddff73c50032ccfdd1704a705c839278a0f77ebf861502b5a824335a651d846815955afb3b1688bc754eb6db833a21c0fac74c850daed6a

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-32.png

MD5 72f57e599d03692ebd0339333a392f60
SHA1 d2c3ccee024b2524552a0907de1c2ee305a9656f
SHA256 e11fced4e1379284c209b9f9fa39c4920ed921cae168db5c4beb9de4ad34282d
SHA512 4b7616a3a0583f3f55403ebd4053f0d5c8428c3ad39f78cd64d967dee2992ad76a0ae9c7646ae34531648be31f1d4b743ff6e2af1455d9f30c8620537d2ce0c0

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-48.png

MD5 cdf7229a0f442b95306b379454b6f8c6
SHA1 8783470a5a99306cce4a11d9eaba695d09adc807
SHA256 d525539096d8f3502d8e1175fb1b07b73360ecc2f87b733ba8822c308f9a3cb6
SHA512 4e11ca29aa442c2dc9fbd0b075e920b853b4c445d07c3d3a824baab2e60305da4003b96d6632f20d75556e745c2e1ddf465713027ab1efecd70f4cc12558e7d3

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-512.png

MD5 09e2d4afa3b2167f2f494e5a2a462685
SHA1 8311a3c08003fe451fb56952e11a9a406913a4ab
SHA256 bf9f2bb9715acea81e4e46c0d6be5d7f25712f0d885ba9942960fb325bf54a86
SHA512 1a37e2ef85ad7c4d76472b7f3d2e650615857c60702edec843548a84540bdde608d07f83588a8aed4179c4e0b9adbf9ac8ace57a3a2259a55044d2d1b4db4fed

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-64.ico

MD5 d86b9c2f3a3870a515efdac704cf37fa
SHA1 3661803321ace44feb7048876fc4a66e331e50ac
SHA256 94cb8d6a02becd4330818ded867461bcf1bc6be2952b547e0f11310061edf708
SHA512 0c46c444568bc90ca3620fc66fb9256ce75cae2a83cf1f0d64e6b5f741a23e76f3c523a1669ed8542cb00c9c53740e3209908e9252574bb51cbb78ebede1c7ca

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-64.png

MD5 9aeb14f0bb4b3d927dc1156fc642f478
SHA1 23242b879b52869ef948bebe6fcc77c9fe639497
SHA256 10e913fc768b1be6a3bb72532ee739c92a561ec6683e9d16a453a0b27794118f
SHA512 b4763a58b7bd9a33d8133ed78b2e253ccff9fd7c1f543bfab23d7423afaa2c8cac5367ee7ff16b321d07b33fae6792207c43b7f79625f7d77229c4d3690b2ca2

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_clock.cp310-win_amd64.pyd

MD5 d7a37bcc197929f01daa9db6ec9e3f62
SHA1 be981544bc6ab9b94d2b96a1f7d2f85665b32378
SHA256 ca957751a67289901b7a675c1dd50da9928660de8eae2581e2825366083a6003
SHA512 0e159105cbda41917280115851adda341213b3ec9ec9280c64ec3f97c7c79206183bbf0fa0cbf7f1858b4f424d8fa05977238e52fe5be3275502a1e3f597a526

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ssl.pyd

MD5 9d810454bc451ff440ec95de36088909
SHA1 8c890b934a2d84c548a09461ca1e783810f075be
SHA256 5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7
SHA512 0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI40922\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_asyncio.pyd

MD5 483bfc095eb82f33f46aefbb21d97012
SHA1 def348a201c9d1434514ca9f5fc7385ca0bd2184
SHA256 5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6
SHA512 fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705

C:\Users\Admin\AppData\Local\Temp\_MEI40922\_overlapped.pyd

MD5 bf3e86152b52d3f0e73d0767cde63f9f
SHA1 3863c480a2d9a24288d63f83fa2586664ec813a2
SHA256 20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d
SHA512 8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_event.cp310-win_amd64.pyd

MD5 6bcaad92ae08de147bc666af97ab7812
SHA1 1ec506ba14c046ce0d4bb67327bf74dc0b8b163e
SHA256 0d199829e7a7f62ba2a7745452f5543fc8632f43995855971a8f898956ae0a5c
SHA512 4894850d05971619325fea653ab1f40d43cc20a38e1d680309dfb90a1aa0ebd2eed45564874b0223042951e690522011a823b2c3219e545b4b20ca02adf3b4cf

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\properties.cp310-win_amd64.pyd

MD5 6bf2877adfa1616ecd8ef0ab1e521d22
SHA1 3033e23a3ccd3d52bc6411730c13dda07ad5f30b
SHA256 13ded57445a51c2da6a1ea251203fc385cb9f3a211eb6e626d64b2ad969e7be5
SHA512 fd0c9e8072e4291fd80ff789d49b7a8d8e1e183c90f5f8ab43eb746e6aeae73fd94e9450b32c7e0510ed72568d554b2d560492b6eb828686ed1bd327e15a3be4

\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\weakproxy.cp310-win_amd64.pyd

MD5 4e8b7a75220848b0c8ec136961c74446
SHA1 c239aa5fb3af2580093a0cdf4acff5815bcaf921
SHA256 4a018c91d776503ef37534086e7fae93dc92935fb1109bf1176a47294bef8527
SHA512 6a13c7314f6d8e42cc02f22e24e214d27b5645d16408e796df8fd6d1f4fa1bf76ded93ac432053154a058856508f5ede058306504a946d7e61f57350240b0add

\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_metrics.cp310-win_amd64.pyd

MD5 b47dc609ac43b6b346d7294ad26fbf42
SHA1 003814c691f600cd549d8aca60b0c5c991d575e6
SHA256 fa42a8abfce7d710e8ea65b6168b65b3098090f583c3804d53acf7c917e7ac34
SHA512 0132eb88f7ae43d181766454dd0ac7322cb56cad4ad97ca3a7abb9b67c3efb4a63c4714fc50dd806b758ac38164b9720527fdfeb773185923f4ecc04d62dc059

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\style.kv

MD5 4dce0a2b93e9404be908fc8890029ce8
SHA1 8fdd886eaa84155d99de69270668e51ca404fefe
SHA256 fd8a2ee806d5c1cd4ee059ab90c1beb3e1d5ce64f7d60390f13f1ba83856dcec
SHA512 ce1db8f15c16765d5aa3aae37170d713532bce36723aa3d3a86483c17d6fa7eac65c7799968d6522f027a936d737477069facb0f9c98b67086fc1f6b0f51caeb

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\instructions.cp310-win_amd64.pyd

MD5 6b978a249f7df98010e93f76dc98d4b1
SHA1 905f8a010cad703936b42cfb9abce74791a6697e
SHA256 ebdd9805399a558134bd9181d76c0595ebcd35851c133c1867081ce1d9fd5d7d
SHA512 a99bf8664a9313d0f74aa641d67a3024f71aa22223c72a79e4e877f33c868ca848464ef69822bd17183b3e0345081dfb129bcd6bd2267cabcc8c449cce9cfe79

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\buffer.cp310-win_amd64.pyd

MD5 80e0fd43ed6375ef6a9b65ab3fa4dee5
SHA1 0e4379ca19ec4394ba884fe3781a540941fda14a
SHA256 e9627c5e81f9ae8616042efbf3105e5b78c8d2b76a62299e699d658449e250b4
SHA512 ce62e1dc58de385c2a1209a3763af691c395e999fc522cd67d08d23ac33498ffdacc710bd643ea9bb4789d85390118a3a6a45ef4aab831339005abab7c38d9ba

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\vertex.cp310-win_amd64.pyd

MD5 b8d7fa40e6ad8b00aefbf3221a8d47f4
SHA1 ad1c28ffe146bdf66938dc9db7cb746f102d4a46
SHA256 cab8fa77c2c8d79ae6e9b48556dd9b8455d6a7416d83bbb3e58b41d34fcd5cc4
SHA512 dc6a02411492b63c876eb02278466da2c98b5ec02990752df3939a2fd8679d64489fedb24ffad14499907b079fefc679818bb1c767c20c418b114b8ec46d3c62

C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\cgl.cp310-win_amd64.pyd

MD5 18bec878ec45123e06d403118ac16263
SHA1 80df9cc2c113bc1e9b2b64e46bf14b272242b73e
SHA256 fa59f739637eb7f09c444ae8c4eb71dd4a4fb0b989f8844fb792b976c5538dbf
SHA512 145abd5180b733030ae46b4566aa1ed5888f357d1bb8664e49a57c8f3d809e78cc06fb8f5979de52b943d0947cabde30a9d8c0b5951d906a07cc0f832cf88eec

memory/4472-391-0x00007FFA65BF0000-0x00007FFA65C20000-memory.dmp

memory/4472-392-0x00007FFA57390000-0x00007FFA575FE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BombParty.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BombParty.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

132s

Max time network

138s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\EWordList.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\EWordList.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-29 14:15

Reported

2024-05-29 14:18

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\FWordlist.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\FWordlist.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A