Malware Analysis Report

2024-11-30 13:33

Sample ID 240604-k894nsbg8y
Target Lofy_Cloner__Casa_Cloner.exe
SHA256 bded5cf8faf4c7ff8a7582538cd325da029adcae50b14f38ed4dc6adabc5673b
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bded5cf8faf4c7ff8a7582538cd325da029adcae50b14f38ed4dc6adabc5673b

Threat Level: Shows suspicious behavior

The file Lofy_Cloner__Casa_Cloner.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 09:17

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 09:17

Reported

2024-06-04 09:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI27362\python310.dll

MD5 a1185bef38fdba5e3fe6a71f93a9d142
SHA1 e2b40f5e518ad000002b239a84c153fdc35df4eb
SHA256 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e
SHA512 cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 09:17

Reported

2024-06-04 09:20

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe

"C:\Users\Admin\AppData\Local\Temp\Lofy_Cloner__Casa_Cloner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title Casa Cloner - Developed by Noritem#6666

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:58258 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI13042\python310.dll

MD5 a1185bef38fdba5e3fe6a71f93a9d142
SHA1 e2b40f5e518ad000002b239a84c153fdc35df4eb
SHA256 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e
SHA512 cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

C:\Users\Admin\AppData\Local\Temp\_MEI13042\VCRUNTIME140.dll

MD5 a87575e7cf8967e481241f13940ee4f7
SHA1 879098b8a353a39e16c79e6479195d43ce98629e
SHA256 ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512 e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

C:\Users\Admin\AppData\Local\Temp\_MEI13042\base_library.zip

MD5 9425444153fe49d734503889ce8d1e20
SHA1 7676bc66117f1a65161c4f3da7cfb949e16ee812
SHA256 da56060a8dc19c3c3b148efda5123de9ab7ef2bb568c1ca0ac1238d000ff5d09
SHA512 ab890f7490acfa62be23989923ef430a0a26ad86bc65abcde0d2e4599ca659ab9933a87f99ead894025af202aeca89350f09099414f06e4570e3cef8aa1cef94

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_ctypes.pyd

MD5 92276f41ff9c856f4dbfa6508614e96c
SHA1 5bc8c3555e3407a3c78385ff2657de3dec55988e
SHA256 9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850
SHA512 9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

C:\Users\Admin\AppData\Local\Temp\_MEI13042\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_socket.pyd

MD5 c5378bac8c03d7ef46305ee8394560f5
SHA1 2aa7bc90c0ec4d21113b8aa6709569d59fadd329
SHA256 130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9
SHA512 1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

C:\Users\Admin\AppData\Local\Temp\_MEI13042\select.pyd

MD5 63ede3c60ee921074647ec0278e6aa45
SHA1 a02c42d3849ad8c03ce60f2fd1797b1901441f26
SHA256 cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5
SHA512 d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_bz2.pyd

MD5 a1fbcfbd82de566a6c99d1a7ab2d8a69
SHA1 3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76
SHA256 0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095
SHA512 55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_lzma.pyd

MD5 a6bee109071bbcf24e4d82498d376f82
SHA1 1babacdfaa60e39e21602908047219d111ed8657
SHA256 ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f
SHA512 8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

C:\Users\Admin\AppData\Local\Temp\_MEI13042\psutil\_psutil_windows.cp310-win_amd64.pyd

MD5 6e04a1d41b0897878583702d398bdc88
SHA1 33f396728c57505b0b897b547c692a9cf8959a36
SHA256 be9701a1c3e48599d8c22c2c371d5493e9a97fa5063022c110842ecb886214e3
SHA512 f9fc5d2c480fb7edcad9490925b75007523adecdd0400adaaab888d12f1e67abfd614a142e38a93ba3b42de2e466f1aa0f48625e76bbe3868b9c308b0bdf4d66

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_ssl.pyd

MD5 9d810454bc451ff440ec95de36088909
SHA1 8c890b934a2d84c548a09461ca1e783810f075be
SHA256 5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7
SHA512 0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

C:\Users\Admin\AppData\Local\Temp\_MEI13042\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI13042\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_asyncio.pyd

MD5 483bfc095eb82f33f46aefbb21d97012
SHA1 def348a201c9d1434514ca9f5fc7385ca0bd2184
SHA256 5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6
SHA512 fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_overlapped.pyd

MD5 bf3e86152b52d3f0e73d0767cde63f9f
SHA1 3863c480a2d9a24288d63f83fa2586664ec813a2
SHA256 20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d
SHA512 8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235

C:\Users\Admin\AppData\Local\Temp\_MEI13042\multidict\_multidict.cp310-win_amd64.pyd

MD5 1b59c87f0871fed4ff2be93c5d9234ab
SHA1 7e5c8827a5b2dec5417800ab0a2001af46ab8924
SHA256 b7151a6ffa3dc7436d09b1e35343801e11f423c6b391f1177254236ec47a3ad7
SHA512 6092628a4c73ca2d29b6f6a0d1ed34627795363c89b2a45bfc75951f8148a288707231575183ef73d4fb24c022883ab3ab30da61c92664295fffd8a36e9200df

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_hashlib.pyd

MD5 ad6e31dba413be7e082fab3dbafb3ecc
SHA1 f26886c841d1c61fb0da14e20e57e7202eefbacc
SHA256 2e30544d07f1c55d741b03992ea57d1aa519edaaa121e889f301a5b8b6557fe4
SHA512 6401664e5c942d98c6fa955cc2424dfa0c973bd0ac1e515f7640c975bba366af1b3e403ea50e753f837dcd82a04af2ce043e22b15fa9976af7cbb30b3ac80452

C:\Users\Admin\AppData\Local\Temp\_MEI13042\unicodedata.pyd

MD5 d67ac58da9e60e5b7ef3745fdda74f7d
SHA1 092faa0a13f99fd05c63395ee8ee9aa2bb1ca478
SHA256 09e1d1e9190160959696aeddb0324667fef39f338edc28f49b5f518b92f27f5f
SHA512 9d510135e4106fef0640565e73d438b4398f7aa65a36e3ea21d8241f07fec7a23e721e8696b3605147e5ce5365684e84e8145001201a19d7537e8f61b20cf32c

C:\Users\Admin\AppData\Local\Temp\_MEI13042\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 7e620bd4ba53daae5df632f2774b9788
SHA1 28ec3b998f376b59483ad4391a0c2df2c634f308
SHA256 84c696ed1b5ba6a3819d73b6f27aee93bca72286b32307fe259e23dfc1cfacec
SHA512 e2d012dd9a7959c0e06340de3728d6e800b56cc0bc8d525c38dd49d9874095d2edc3ae06862d1a21e873c0da0678e8ab3bc95a57777d746f0d6d8b0c6c08c202

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_uuid.pyd

MD5 6cfc03bc247a7b8c3c38f1841319f348
SHA1 c28cf20c3e1839cff5dce35a9ffd20aa4ac2a2cf
SHA256 b7fd172339478adaa5f4060eb760f905a2af55ce7e017b57de61ee09dcb09750
SHA512 bd123566a104568e2ec407b35446cb07c660035a77a1e11a8d8d90518c1a83b6815bf694676fa003b074126dcd0594457195f835df7bc828df1195db6584d23b

C:\Users\Admin\AppData\Local\Temp\_MEI13042\_queue.pyd

MD5 8dd33fe76645636520c5d976b8a2b6fc
SHA1 12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7
SHA256 8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595
SHA512 e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 09:17

Reported

2024-06-04 09:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 db9cbac9a1fa3dd7b401b6db295c0e75
SHA1 a020000101b6970aa32f8160f870e175f7284835
SHA256 347a242f5b296e2093db5842c5b3604561d085e7d927b510bcdb0fb3890c20b1
SHA512 b402c22a5f61c69ac24349ccaf945f15a2c524970ceaf841e326d7841694c004119eee4488afa02355ef33e7f1dafb683f357365c6719e5fddb22082d85964e8

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-04 09:17

Reported

2024-06-04 09:20

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A