Analysis
-
max time kernel
133s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 18:42
Behavioral task
behavioral1
Sample
Celex_V2.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cstealer.pyc
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cstealer.pyc
-
Size
39KB
-
MD5
859d53b651327931b647406b22a76e60
-
SHA1
128ed3b3f2d4ff3e3ce4562b4d6dd19e01008414
-
SHA256
c069a156ac0ad7c0fddb43a28fcc7cf8b09b07c0ce1fb6de8648e399e206debb
-
SHA512
b6b8fe39a3bc66dc10c8c56b12a47ee5b2e46241d80004cc928dc983a8ae9dd1fa855eb16cae061fec9fac425b3c01039269b40710d8d1e206b0782ba5649140
-
SSDEEP
768:fuAF/lvck17WnMGF+5JsylM3jprKBBbxoZUM4PqVfqrY9Wygqxie3HrKl4HYiBe/:x/ukW0JsyC3F6OUM6qVirY9WygWiMujf
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1720 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2988 OpenWith.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
OpenWith.exepid process 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe 2988 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 2988 wrote to memory of 1720 2988 OpenWith.exe NOTEPAD.EXE PID 2988 wrote to memory of 1720 2988 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cstealer.pyc2⤵
- Opens file in notepad (likely ransom note)