Analysis
-
max time kernel
79s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-06-2024 09:06
Behavioral task
behavioral1
Sample
cch_blum_re.pyc
Resource
win10-20240404-en
6 signatures
120 seconds
General
-
Target
cch_blum_re.pyc
-
Size
7KB
-
MD5
b3b9b54ddc84df18135852ee3ede2383
-
SHA1
6841a45353951cbbb8a9bb7a8489a1ab43ce4669
-
SHA256
b8e5ae90d66993923b851d0aeb26c0031b56f46a7151d71a0fee2b77bd9bf691
-
SHA512
86db3c0eba1533bbe3ca62c324106e199756c09aa5477ab90c0711c28cc01fade9f87f89ebba78117102775194b0a197f95f93c95a8e5ec7c3a0295d494dee68
-
SSDEEP
192:8w5Cpjqg1Bo123UpK/PIFwH7GSPFy0xg60GeA:sWmK23UpK/P/bG8aA
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 396 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 992 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe 992 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 992 wrote to memory of 396 992 OpenWith.exe NOTEPAD.EXE PID 992 wrote to memory of 396 992 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc1⤵
- Modifies registry class
PID:4284
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:396