Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 15:07
Behavioral task
behavioral1
Sample
Vedani-Crypter-Lifetime-Activated-main.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Vedani-Crypter-Lifetime-Activated-main.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
test.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
test.pyc
Resource
win10v2004-20240508-en
General
-
Target
test.pyc
-
Size
883B
-
MD5
9829a76c392c1eff6118cfa867a59740
-
SHA1
dda3868565de67012f306ea550a26bcdc440126c
-
SHA256
cad358179be1bc7745ee7cb2fea6f0131d3f7ef7ec1df7767379e1fffbd1e629
-
SHA512
3580bc1618967038c6527c8d17713240a6e34cf2f1382a1e1f756b1bc0595d7d90847677d3c0cd90358588aa6bbc56e871a57ca5bbbe725d2dade8e50c0fb499
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\open rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2868 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2984 wrote to memory of 2668 2984 cmd.exe rundll32.exe PID 2984 wrote to memory of 2668 2984 cmd.exe rundll32.exe PID 2984 wrote to memory of 2668 2984 cmd.exe rundll32.exe PID 2668 wrote to memory of 2868 2668 rundll32.exe NOTEPAD.EXE PID 2668 wrote to memory of 2868 2668 rundll32.exe NOTEPAD.EXE PID 2668 wrote to memory of 2868 2668 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\test.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\test.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.pyc3⤵
- Opens file in notepad (likely ransom note)
PID:2868
-
-