Analysis Overview
SHA256
bded5cf8faf4c7ff8a7582538cd325da029adcae50b14f38ed4dc6adabc5673b
Threat Level: Shows suspicious behavior
The file Lofy_Cloner__Casa_Cloner.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 09:17
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 09:17
Reported
2024-06-04 09:20
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe |
| PID 2736 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe |
| PID 2736 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe
"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"
C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe
"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27362\python310.dll
| MD5 | a1185bef38fdba5e3fe6a71f93a9d142 |
| SHA1 | e2b40f5e518ad000002b239a84c153fdc35df4eb |
| SHA256 | 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e |
| SHA512 | cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 09:17
Reported
2024-06-04 09:20
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
104s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe
"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"
C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe
"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Casa Cloner - Developed by Noritem#6666
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:58258 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI13042\python310.dll
| MD5 | a1185bef38fdba5e3fe6a71f93a9d142 |
| SHA1 | e2b40f5e518ad000002b239a84c153fdc35df4eb |
| SHA256 | 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e |
| SHA512 | cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\base_library.zip
| MD5 | 9425444153fe49d734503889ce8d1e20 |
| SHA1 | 7676bc66117f1a65161c4f3da7cfb949e16ee812 |
| SHA256 | da56060a8dc19c3c3b148efda5123de9ab7ef2bb568c1ca0ac1238d000ff5d09 |
| SHA512 | ab890f7490acfa62be23989923ef430a0a26ad86bc65abcde0d2e4599ca659ab9933a87f99ead894025af202aeca89350f09099414f06e4570e3cef8aa1cef94 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_ctypes.pyd
| MD5 | 92276f41ff9c856f4dbfa6508614e96c |
| SHA1 | 5bc8c3555e3407a3c78385ff2657de3dec55988e |
| SHA256 | 9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850 |
| SHA512 | 9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_socket.pyd
| MD5 | c5378bac8c03d7ef46305ee8394560f5 |
| SHA1 | 2aa7bc90c0ec4d21113b8aa6709569d59fadd329 |
| SHA256 | 130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9 |
| SHA512 | 1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\select.pyd
| MD5 | 63ede3c60ee921074647ec0278e6aa45 |
| SHA1 | a02c42d3849ad8c03ce60f2fd1797b1901441f26 |
| SHA256 | cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5 |
| SHA512 | d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_bz2.pyd
| MD5 | a1fbcfbd82de566a6c99d1a7ab2d8a69 |
| SHA1 | 3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76 |
| SHA256 | 0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095 |
| SHA512 | 55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_lzma.pyd
| MD5 | a6bee109071bbcf24e4d82498d376f82 |
| SHA1 | 1babacdfaa60e39e21602908047219d111ed8657 |
| SHA256 | ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f |
| SHA512 | 8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\psutil\_psutil_windows.cp310-win_amd64.pyd
| MD5 | 6e04a1d41b0897878583702d398bdc88 |
| SHA1 | 33f396728c57505b0b897b547c692a9cf8959a36 |
| SHA256 | be9701a1c3e48599d8c22c2c371d5493e9a97fa5063022c110842ecb886214e3 |
| SHA512 | f9fc5d2c480fb7edcad9490925b75007523adecdd0400adaaab888d12f1e67abfd614a142e38a93ba3b42de2e466f1aa0f48625e76bbe3868b9c308b0bdf4d66 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_ssl.pyd
| MD5 | 9d810454bc451ff440ec95de36088909 |
| SHA1 | 8c890b934a2d84c548a09461ca1e783810f075be |
| SHA256 | 5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7 |
| SHA512 | 0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_asyncio.pyd
| MD5 | 483bfc095eb82f33f46aefbb21d97012 |
| SHA1 | def348a201c9d1434514ca9f5fc7385ca0bd2184 |
| SHA256 | 5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6 |
| SHA512 | fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_overlapped.pyd
| MD5 | bf3e86152b52d3f0e73d0767cde63f9f |
| SHA1 | 3863c480a2d9a24288d63f83fa2586664ec813a2 |
| SHA256 | 20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d |
| SHA512 | 8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 1b59c87f0871fed4ff2be93c5d9234ab |
| SHA1 | 7e5c8827a5b2dec5417800ab0a2001af46ab8924 |
| SHA256 | b7151a6ffa3dc7436d09b1e35343801e11f423c6b391f1177254236ec47a3ad7 |
| SHA512 | 6092628a4c73ca2d29b6f6a0d1ed34627795363c89b2a45bfc75951f8148a288707231575183ef73d4fb24c022883ab3ab30da61c92664295fffd8a36e9200df |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_hashlib.pyd
| MD5 | ad6e31dba413be7e082fab3dbafb3ecc |
| SHA1 | f26886c841d1c61fb0da14e20e57e7202eefbacc |
| SHA256 | 2e30544d07f1c55d741b03992ea57d1aa519edaaa121e889f301a5b8b6557fe4 |
| SHA512 | 6401664e5c942d98c6fa955cc2424dfa0c973bd0ac1e515f7640c975bba366af1b3e403ea50e753f837dcd82a04af2ce043e22b15fa9976af7cbb30b3ac80452 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\unicodedata.pyd
| MD5 | d67ac58da9e60e5b7ef3745fdda74f7d |
| SHA1 | 092faa0a13f99fd05c63395ee8ee9aa2bb1ca478 |
| SHA256 | 09e1d1e9190160959696aeddb0324667fef39f338edc28f49b5f518b92f27f5f |
| SHA512 | 9d510135e4106fef0640565e73d438b4398f7aa65a36e3ea21d8241f07fec7a23e721e8696b3605147e5ce5365684e84e8145001201a19d7537e8f61b20cf32c |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | 7e620bd4ba53daae5df632f2774b9788 |
| SHA1 | 28ec3b998f376b59483ad4391a0c2df2c634f308 |
| SHA256 | 84c696ed1b5ba6a3819d73b6f27aee93bca72286b32307fe259e23dfc1cfacec |
| SHA512 | e2d012dd9a7959c0e06340de3728d6e800b56cc0bc8d525c38dd49d9874095d2edc3ae06862d1a21e873c0da0678e8ab3bc95a57777d746f0d6d8b0c6c08c202 |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_uuid.pyd
| MD5 | 6cfc03bc247a7b8c3c38f1841319f348 |
| SHA1 | c28cf20c3e1839cff5dce35a9ffd20aa4ac2a2cf |
| SHA256 | b7fd172339478adaa5f4060eb760f905a2af55ce7e017b57de61ee09dcb09750 |
| SHA512 | bd123566a104568e2ec407b35446cb07c660035a77a1e11a8d8d90518c1a83b6815bf694676fa003b074126dcd0594457195f835df7bc828df1195db6584d23b |
C:\Users\Admin\AppData\Local\Temp\_MEI13042\_queue.pyd
| MD5 | 8dd33fe76645636520c5d976b8a2b6fc |
| SHA1 | 12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7 |
| SHA256 | 8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595 |
| SHA512 | e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-04 09:17
Reported
2024-06-04 09:20
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1720 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1720 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2644 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2980 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | db9cbac9a1fa3dd7b401b6db295c0e75 |
| SHA1 | a020000101b6970aa32f8160f870e175f7284835 |
| SHA256 | 347a242f5b296e2093db5842c5b3604561d085e7d927b510bcdb0fb3890c20b1 |
| SHA512 | b402c22a5f61c69ac24349ccaf945f15a2c524970ceaf841e326d7841694c004119eee4488afa02355ef33e7f1dafb683f357365c6719e5fddb22082d85964e8 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-04 09:17
Reported
2024-06-04 09:20
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |