Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11/06/2024, 15:30
Behavioral task
behavioral1
Sample
TF2CDownloaderWindows.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
TF2CDownloaderWindows.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
tf2c_downloader.pyc
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
tf2c_downloader.pyc
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
tf2c_downloader.pyc
-
Size
5KB
-
MD5
985f063219016ac08c590953c4cd0b90
-
SHA1
804ad83879dbe54670827793e3385d217a56bfdb
-
SHA256
54ba0e81c893c3381526504a167c2e396d3c3f85e86f4d9c64aa0b90d2f911cb
-
SHA512
b555247c6424d7f62fb5cbb5c79ae7b6524e65ec5fdf35cb74755c9258cbbe3611e7b74378bf534eef4d632b7b7e5dcc10f1eed6a0d6f9639331d1e0db7cda9a
-
SSDEEP
96:KWw5RovLDMcD4zlMHr46bp63gito2eWerQG5ul2TL4w0RO:KjwnM/zSryLqoZGpkO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4584 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 876 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe 876 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 876 wrote to memory of 4584 876 OpenWith.exe 74 PID 876 wrote to memory of 4584 876 OpenWith.exe 74
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tf2c_downloader.pyc1⤵
- Modifies registry class
PID:2272
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tf2c_downloader.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4584
-