Malware Analysis Report

2024-11-30 13:02

Sample ID 240620-dfd27svelc
Target Nuwo.exe
SHA256 2c651f28deb6fcc73bff766609ba0b33a3df4607378237b5b25588c033c52064
Tags
pyinstaller upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2c651f28deb6fcc73bff766609ba0b33a3df4607378237b5b25588c033c52064

Threat Level: Shows suspicious behavior

The file Nuwo.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller upx

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 02:56

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 02:56

Reported

2024-06-20 02:57

Platform

win7-20240508-en

Max time kernel

42s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Users\Admin\AppData\Local\Temp\Nuwo.exe
PID 1636 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Users\Admin\AppData\Local\Temp\Nuwo.exe
PID 1636 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Users\Admin\AppData\Local\Temp\Nuwo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Nuwo.exe

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

C:\Users\Admin\AppData\Local\Temp\Nuwo.exe

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI16362\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/2712-31-0x000007FEF5C60000-0x000007FEF6249000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 02:56

Reported

2024-06-20 02:57

Platform

win10v2004-20240226-en

Max time kernel

47s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Users\Admin\AppData\Local\Temp\Nuwo.exe
PID 2152 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Users\Admin\AppData\Local\Temp\Nuwo.exe
PID 3764 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Nuwo.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Nuwo.exe

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

C:\Users\Admin\AppData\Local\Temp\Nuwo.exe

"C:\Users\Admin\AppData\Local\Temp\Nuwo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21522\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

memory/3764-32-0x00007FFE943D0000-0x00007FFE949B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Local\Temp\_MEI21522\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

memory/3764-38-0x00007FFEA4BF0000-0x00007FFEA4C13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/3764-40-0x00007FFEA8C60000-0x00007FFEA8C6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/3764-43-0x00007FFEA4C60000-0x00007FFEA4C79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/3764-46-0x00007FFEA4BC0000-0x00007FFEA4BED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI21522\colorful\data\rgb.txt

MD5 09ee098b83d94c7c046d6b55ebe84ae1
SHA1 2a3c7ba23dbc3195a203a4cd744c5ce492b0358c
SHA256 2c8ab5acc9eb072f4cc88696834188100d05e50af5d1425501d993700aaa3164
SHA512 a5ab9660410d0f080e216df828b2a5f76cf32f90adcb157ab74609bad6268cdd97e6c2408e512126170028f52913d82e59a7df71a53e36c94bd6517ba50158f3

memory/3764-56-0x00007FFEA4990000-0x00007FFEA49A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

C:\Users\Admin\AppData\Local\Temp\_MEI21522\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

C:\Users\Admin\AppData\Local\Temp\_MEI21522\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

memory/3764-58-0x00007FFEA52D0000-0x00007FFEA52DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

memory/3764-60-0x00007FFEA4BB0000-0x00007FFEA4BBD000-memory.dmp

memory/3764-62-0x00007FFEA4280000-0x00007FFEA439C000-memory.dmp

memory/3764-63-0x00007FFE943D0000-0x00007FFE949B9000-memory.dmp

memory/3764-64-0x00007FFEA4BF0000-0x00007FFEA4C13000-memory.dmp

memory/3764-73-0x00007FFEA4280000-0x00007FFEA439C000-memory.dmp

memory/3764-70-0x00007FFEA4990000-0x00007FFEA49A9000-memory.dmp

memory/3764-74-0x00007FFE943D0000-0x00007FFE949B9000-memory.dmp

memory/3764-84-0x0000027B37190000-0x0000027B37191000-memory.dmp

memory/3764-86-0x00007FFEA4BF0000-0x00007FFEA4C13000-memory.dmp

memory/3764-85-0x00007FFE943D0000-0x00007FFE949B9000-memory.dmp

memory/3764-102-0x00007FFEA4280000-0x00007FFEA439C000-memory.dmp

memory/3764-101-0x00007FFEA4BB0000-0x00007FFEA4BBD000-memory.dmp

memory/3764-100-0x00007FFEA52D0000-0x00007FFEA52DD000-memory.dmp

memory/3764-99-0x00007FFEA4990000-0x00007FFEA49A9000-memory.dmp

memory/3764-98-0x00007FFEA4BC0000-0x00007FFEA4BED000-memory.dmp

memory/3764-97-0x00007FFEA4C60000-0x00007FFEA4C79000-memory.dmp

memory/3764-96-0x00007FFEA8C60000-0x00007FFEA8C6F000-memory.dmp

memory/3764-95-0x00007FFEA4BF0000-0x00007FFEA4C13000-memory.dmp

memory/3764-94-0x00007FFE943D0000-0x00007FFE949B9000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 02:56

Reported

2024-06-20 02:59

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6cb9b00597811784c6a462ad5f975532
SHA1 9fac409100e12ce9457d88f66618514e4dc0ab92
SHA256 036e1050fc13bcb0686dc291fb5ff7a02b6422d0f450a46c79331361f3ce382d
SHA512 c3a58a7f100a6180af5d2b27092c00f02d269766dfa2ac95e665e6e811ee30fa1c5bc267a269bea3fa6457ade77ab047e780dbda9bdc579d421c489ce238641a

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 02:56

Reported

2024-06-20 02:59

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 2080 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4408 wrote to memory of 2080 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Nuwo.pyc

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A