Analysis Overview
SHA256
ce19948b92ec306cfc8ca14d7aa939ce3dd83faee7c9cb108e3fe4e0c51f4d97
Threat Level: Likely malicious
The file BombPartyUltra.rar was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Detects Pyinstaller
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 14:15
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 4676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4388 wrote to memory of 4676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4676 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4676 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ZInstallPython.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.python.org | udp |
| GB | 151.101.60.223:443 | www.python.org | tcp |
| US | 8.8.8.8:53 | 223.60.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/2580-4-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp
memory/2580-5-0x000002B37F3C0000-0x000002B37F3E2000-memory.dmp
memory/2580-7-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2580-9-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2580-10-0x000002B37F570000-0x000002B37F5E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zq055xd4.vwn.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2580-25-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2580-36-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BombPartyUltra.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
127s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 3252 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mode.com |
| PID 5116 wrote to memory of 3252 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\mode.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\ARunALL.bat"
C:\Windows\system32\mode.com
mode con: cols=185 lines=30
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4092 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe |
| PID 4092 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe |
| PID 4472 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | C:\Windows\system32\cmd.exe |
| PID 4472 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe
"C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe"
C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe
"C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\BombParty.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI40922\ucrtbase.dll
| MD5 | 546793941ac1152500894daff0fd337a |
| SHA1 | ede8a5040b5e7e445e7c048aead30bf098168108 |
| SHA256 | 1aea16f206069eec06cac4cf4492f2312ef9c8e3fb8b28f188e8433268cd9892 |
| SHA512 | ea25f22c75b344c82891a804e1a46b356848304d33a32bb4fb97bbf9959fcadea360e15467cd188f9fbea3059339a20f5787e12059dfbccc2c9e17cd8b93d55b |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\python310.dll
| MD5 | a1185bef38fdba5e3fe6a71f93a9d142 |
| SHA1 | e2b40f5e518ad000002b239a84c153fdc35df4eb |
| SHA256 | 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e |
| SHA512 | cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\base_library.zip
| MD5 | 4c03caa79c462b5df082efde831684fd |
| SHA1 | 7ca43faee8c8cfa6027f30f5f732a12a2557e59a |
| SHA256 | ccf72c5a640a54e84c4a5c3dfb242b2998203b57c79bf051d18860a57dc53592 |
| SHA512 | d5f6b3ee869cbb9a35ce6949e4a540e7e3c8baa4de10c641be4c923aba680b75d055ec3d7eced3593128e6cc1d969fe3171e1640ea66e0d5031a8b9a47c3b25d |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd
| MD5 | 92276f41ff9c856f4dbfa6508614e96c |
| SHA1 | 5bc8c3555e3407a3c78385ff2657de3dec55988e |
| SHA256 | 9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850 |
| SHA512 | 9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd
| MD5 | c5378bac8c03d7ef46305ee8394560f5 |
| SHA1 | 2aa7bc90c0ec4d21113b8aa6709569d59fadd329 |
| SHA256 | 130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9 |
| SHA512 | 1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856 |
\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd
| MD5 | 63ede3c60ee921074647ec0278e6aa45 |
| SHA1 | a02c42d3849ad8c03ce60f2fd1797b1901441f26 |
| SHA256 | cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5 |
| SHA512 | d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd
| MD5 | a1fbcfbd82de566a6c99d1a7ab2d8a69 |
| SHA1 | 3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76 |
| SHA256 | 0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095 |
| SHA512 | 55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd
| MD5 | a6bee109071bbcf24e4d82498d376f82 |
| SHA1 | 1babacdfaa60e39e21602908047219d111ed8657 |
| SHA256 | ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f |
| SHA512 | 8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\pyexpat.pyd
| MD5 | 8b9855e1b442b22984dc07a8c6d9d2ed |
| SHA1 | 2e708fbf1344731bca3c603763e409190c019d7f |
| SHA256 | 4d0f50757a4d9abe249bd7ebea35243d4897911a72de213ddb6c6945fef49e06 |
| SHA512 | 59ca1cbc51a0b9857e921e769587b021bc3f157d8680bb8f7d7f99deb90405db92051e9be8891399379d918afc5d8cb36123297d748c5265ae0855613b277809 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_queue.pyd
| MD5 | 8dd33fe76645636520c5d976b8a2b6fc |
| SHA1 | 12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7 |
| SHA256 | 8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595 |
| SHA512 | e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\pywintypes310.dll
| MD5 | bd1ee0e25a364323faa252eee25081b5 |
| SHA1 | 7dea28e7588142d395f6b8d61c8b46104ff9f090 |
| SHA256 | 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814 |
| SHA512 | d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-128.png
| MD5 | 796dfbef2d897b6749f214a43edd9315 |
| SHA1 | 91f0e313abfb49bcda915d712969eaf2e462f538 |
| SHA256 | b11d23e098104f77089e859cc97a7fb52341e05ad6871e8be9994e188cb2f556 |
| SHA512 | b70c0f51017ad3e115b926db2c2d11e12adb966597fdd305e5fe4869bf6768a55e24ddf7df4ca34cab48cadc38e627cb1e6303a2e8544b32b8af0b30c698fb6c |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-16.png
| MD5 | 1f781089a713189bc96d3ef05fee457f |
| SHA1 | 3fafc09a1d89aa250acaf34df8fbe13afd851491 |
| SHA256 | 52ef10fc7d1adeea6a21d82d9ab168a354c01f0a2e5efe3eff61b378ca7ad730 |
| SHA512 | f8712a7d47bce4cf36fa94528dd29806cb524e74817e01abb7515a985a82e2f5c8e778c94a3341fe631e3d6102ff25aaed585c4b420f3bfcfdc41814a73e779e |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-24.png
| MD5 | d8edd4e2248bc3310291af735e514fcd |
| SHA1 | 54ca3472f3324eea4f700506cc1aeade65cd3502 |
| SHA256 | d52b8f3a73bfec3f5c345f010a9fc25d9f74900d7cd4b54912cf82bd08fadffd |
| SHA512 | 8cfe735fb6d45423566b09be56b0d29a84d30074bd8d3112a26e157ce8aaa92e5edd7daa95b4ad366c6b65658081e5c9192b36afa6932f3fb065c1734e736962 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-256.png
| MD5 | 9f78f7a154400fcdee139d789ff50e33 |
| SHA1 | eb2c602986a27c57642eef320ff54246d78e8b5e |
| SHA256 | 3ca68b695733667aa883ba920f70e1a20ecaa6f0feaffff4e2d82c96c8745f5b |
| SHA512 | 00b18c8fb96f23b70ddff73c50032ccfdd1704a705c839278a0f77ebf861502b5a824335a651d846815955afb3b1688bc754eb6db833a21c0fac74c850daed6a |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-32.png
| MD5 | 72f57e599d03692ebd0339333a392f60 |
| SHA1 | d2c3ccee024b2524552a0907de1c2ee305a9656f |
| SHA256 | e11fced4e1379284c209b9f9fa39c4920ed921cae168db5c4beb9de4ad34282d |
| SHA512 | 4b7616a3a0583f3f55403ebd4053f0d5c8428c3ad39f78cd64d967dee2992ad76a0ae9c7646ae34531648be31f1d4b743ff6e2af1455d9f30c8620537d2ce0c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-48.png
| MD5 | cdf7229a0f442b95306b379454b6f8c6 |
| SHA1 | 8783470a5a99306cce4a11d9eaba695d09adc807 |
| SHA256 | d525539096d8f3502d8e1175fb1b07b73360ecc2f87b733ba8822c308f9a3cb6 |
| SHA512 | 4e11ca29aa442c2dc9fbd0b075e920b853b4c445d07c3d3a824baab2e60305da4003b96d6632f20d75556e745c2e1ddf465713027ab1efecd70f4cc12558e7d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-512.png
| MD5 | 09e2d4afa3b2167f2f494e5a2a462685 |
| SHA1 | 8311a3c08003fe451fb56952e11a9a406913a4ab |
| SHA256 | bf9f2bb9715acea81e4e46c0d6be5d7f25712f0d885ba9942960fb325bf54a86 |
| SHA512 | 1a37e2ef85ad7c4d76472b7f3d2e650615857c60702edec843548a84540bdde608d07f83588a8aed4179c4e0b9adbf9ac8ace57a3a2259a55044d2d1b4db4fed |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-64.ico
| MD5 | d86b9c2f3a3870a515efdac704cf37fa |
| SHA1 | 3661803321ace44feb7048876fc4a66e331e50ac |
| SHA256 | 94cb8d6a02becd4330818ded867461bcf1bc6be2952b547e0f11310061edf708 |
| SHA512 | 0c46c444568bc90ca3620fc66fb9256ce75cae2a83cf1f0d64e6b5f741a23e76f3c523a1669ed8542cb00c9c53740e3209908e9252574bb51cbb78ebede1c7ca |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\logo\kivy-icon-64.png
| MD5 | 9aeb14f0bb4b3d927dc1156fc642f478 |
| SHA1 | 23242b879b52869ef948bebe6fcc77c9fe639497 |
| SHA256 | 10e913fc768b1be6a3bb72532ee739c92a561ec6683e9d16a453a0b27794118f |
| SHA512 | b4763a58b7bd9a33d8133ed78b2e253ccff9fd7c1f543bfab23d7423afaa2c8cac5367ee7ff16b321d07b33fae6792207c43b7f79625f7d77229c4d3690b2ca2 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_clock.cp310-win_amd64.pyd
| MD5 | d7a37bcc197929f01daa9db6ec9e3f62 |
| SHA1 | be981544bc6ab9b94d2b96a1f7d2f85665b32378 |
| SHA256 | ca957751a67289901b7a675c1dd50da9928660de8eae2581e2825366083a6003 |
| SHA512 | 0e159105cbda41917280115851adda341213b3ec9ec9280c64ec3f97c7c79206183bbf0fa0cbf7f1858b4f424d8fa05977238e52fe5be3275502a1e3f597a526 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ssl.pyd
| MD5 | 9d810454bc451ff440ec95de36088909 |
| SHA1 | 8c890b934a2d84c548a09461ca1e783810f075be |
| SHA256 | 5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7 |
| SHA512 | 0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_asyncio.pyd
| MD5 | 483bfc095eb82f33f46aefbb21d97012 |
| SHA1 | def348a201c9d1434514ca9f5fc7385ca0bd2184 |
| SHA256 | 5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6 |
| SHA512 | fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_overlapped.pyd
| MD5 | bf3e86152b52d3f0e73d0767cde63f9f |
| SHA1 | 3863c480a2d9a24288d63f83fa2586664ec813a2 |
| SHA256 | 20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d |
| SHA512 | 8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_event.cp310-win_amd64.pyd
| MD5 | 6bcaad92ae08de147bc666af97ab7812 |
| SHA1 | 1ec506ba14c046ce0d4bb67327bf74dc0b8b163e |
| SHA256 | 0d199829e7a7f62ba2a7745452f5543fc8632f43995855971a8f898956ae0a5c |
| SHA512 | 4894850d05971619325fea653ab1f40d43cc20a38e1d680309dfb90a1aa0ebd2eed45564874b0223042951e690522011a823b2c3219e545b4b20ca02adf3b4cf |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\properties.cp310-win_amd64.pyd
| MD5 | 6bf2877adfa1616ecd8ef0ab1e521d22 |
| SHA1 | 3033e23a3ccd3d52bc6411730c13dda07ad5f30b |
| SHA256 | 13ded57445a51c2da6a1ea251203fc385cb9f3a211eb6e626d64b2ad969e7be5 |
| SHA512 | fd0c9e8072e4291fd80ff789d49b7a8d8e1e183c90f5f8ab43eb746e6aeae73fd94e9450b32c7e0510ed72568d554b2d560492b6eb828686ed1bd327e15a3be4 |
\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\weakproxy.cp310-win_amd64.pyd
| MD5 | 4e8b7a75220848b0c8ec136961c74446 |
| SHA1 | c239aa5fb3af2580093a0cdf4acff5815bcaf921 |
| SHA256 | 4a018c91d776503ef37534086e7fae93dc92935fb1109bf1176a47294bef8527 |
| SHA512 | 6a13c7314f6d8e42cc02f22e24e214d27b5645d16408e796df8fd6d1f4fa1bf76ded93ac432053154a058856508f5ede058306504a946d7e61f57350240b0add |
\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\_metrics.cp310-win_amd64.pyd
| MD5 | b47dc609ac43b6b346d7294ad26fbf42 |
| SHA1 | 003814c691f600cd549d8aca60b0c5c991d575e6 |
| SHA256 | fa42a8abfce7d710e8ea65b6168b65b3098090f583c3804d53acf7c917e7ac34 |
| SHA512 | 0132eb88f7ae43d181766454dd0ac7322cb56cad4ad97ca3a7abb9b67c3efb4a63c4714fc50dd806b758ac38164b9720527fdfeb773185923f4ecc04d62dc059 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy_install\data\style.kv
| MD5 | 4dce0a2b93e9404be908fc8890029ce8 |
| SHA1 | 8fdd886eaa84155d99de69270668e51ca404fefe |
| SHA256 | fd8a2ee806d5c1cd4ee059ab90c1beb3e1d5ce64f7d60390f13f1ba83856dcec |
| SHA512 | ce1db8f15c16765d5aa3aae37170d713532bce36723aa3d3a86483c17d6fa7eac65c7799968d6522f027a936d737477069facb0f9c98b67086fc1f6b0f51caeb |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\instructions.cp310-win_amd64.pyd
| MD5 | 6b978a249f7df98010e93f76dc98d4b1 |
| SHA1 | 905f8a010cad703936b42cfb9abce74791a6697e |
| SHA256 | ebdd9805399a558134bd9181d76c0595ebcd35851c133c1867081ce1d9fd5d7d |
| SHA512 | a99bf8664a9313d0f74aa641d67a3024f71aa22223c72a79e4e877f33c868ca848464ef69822bd17183b3e0345081dfb129bcd6bd2267cabcc8c449cce9cfe79 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\buffer.cp310-win_amd64.pyd
| MD5 | 80e0fd43ed6375ef6a9b65ab3fa4dee5 |
| SHA1 | 0e4379ca19ec4394ba884fe3781a540941fda14a |
| SHA256 | e9627c5e81f9ae8616042efbf3105e5b78c8d2b76a62299e699d658449e250b4 |
| SHA512 | ce62e1dc58de385c2a1209a3763af691c395e999fc522cd67d08d23ac33498ffdacc710bd643ea9bb4789d85390118a3a6a45ef4aab831339005abab7c38d9ba |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\vertex.cp310-win_amd64.pyd
| MD5 | b8d7fa40e6ad8b00aefbf3221a8d47f4 |
| SHA1 | ad1c28ffe146bdf66938dc9db7cb746f102d4a46 |
| SHA256 | cab8fa77c2c8d79ae6e9b48556dd9b8455d6a7416d83bbb3e58b41d34fcd5cc4 |
| SHA512 | dc6a02411492b63c876eb02278466da2c98b5ec02990752df3939a2fd8679d64489fedb24ffad14499907b079fefc679818bb1c767c20c418b114b8ec46d3c62 |
C:\Users\Admin\AppData\Local\Temp\_MEI40922\kivy\graphics\cgl.cp310-win_amd64.pyd
| MD5 | 18bec878ec45123e06d403118ac16263 |
| SHA1 | 80df9cc2c113bc1e9b2b64e46bf14b272242b73e |
| SHA256 | fa59f739637eb7f09c444ae8c4eb71dd4a4fb0b989f8844fb792b976c5538dbf |
| SHA512 | 145abd5180b733030ae46b4566aa1ed5888f357d1bb8664e49a57c8f3d809e78cc06fb8f5979de52b943d0947cabde30a9d8c0b5951d906a07cc0f832cf88eec |
memory/4472-391-0x00007FFA65BF0000-0x00007FFA65C20000-memory.dmp
memory/4472-392-0x00007FFA57390000-0x00007FFA575FE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BombParty.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
132s
Max time network
138s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\EWordList.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-29 14:15
Reported
2024-05-29 14:18
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BombPartyUltra\FWordlist.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |