Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 19:26
Behavioral task
behavioral1
Sample
Usermode_Font_Driver_Host.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Usermode_Font_Driver_Host.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
Resource
win10v2004-20240508-en
General
-
Target
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
-
Size
57KB
-
MD5
60b8028c9eb3d44737f4c6d9ac7c533c
-
SHA1
96d82ff6be6b8706718a7057a66a59449a2c79bd
-
SHA256
e59dbebef0de2d2f52ce32c96a9dabde0772b0c8cf4b5d0853ba8619a4a5f04b
-
SHA512
2de02b9bb0810cc01408675ba7851fe7cdce886d813ce1f1d12de282a61d3692b134e3b1678aaaad1f925a4603a750c25e74ab5d28aae90c7d05ea2fac5b7f51
-
SSDEEP
768:XlRydzFvesK7wchntnTlqv/ofgfDfv5SnOer6bUAfBr/LSCFrqEqvjz03:WdxvWqv/U16bFzyPa
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
OpenWith.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid Process 4224 OpenWith.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
OpenWith.exepid Process 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe 4224 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc1⤵
- Modifies registry class
PID:548
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4224