b6bcb9480197593ac3c34b9e3e88f5704ae60377ccabb346b6f2b459261bd79c

Analysis

max time kernel
122s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shack of Love 1.0.0.zip
Size

131KB
MD5

476ad70d77c9156a99c8d1d327143ca0
SHA1

d8966019d2008e30deea296002487ca02c2b7645
SHA256

b6bcb9480197593ac3c34b9e3e88f5704ae60377ccabb346b6f2b459261bd79c
SHA512

d25bdc6f42b1e20c5fbc439c1ba091b6e0215baa124f9f440bc7ba2e8b0e2e96578c65f02d9c2b08ee935fcc1d0fcf3394f5481b8ff4c8140800185890be4895
SSDEEP

3072:YxfwHQcA7KF9h7ogJVJpdqcBFS+1Uge4gUbpOnJbqXpVFvHiviWRlVz:+XKF9hE+HLpUt4BUJepvCN

Score

1^/10

Malware Config

Signatures

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\翹	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\翹\ = "trayitem_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.bpi	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.bpi\ = "bpi_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.trayitem	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.trayitem\ = "trayitem_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\䄱ʨ\ = "trayitem_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\䄱ʨ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떺꘨䷹蠀䀀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떸ꘪ䳹蠀김䄮ʨ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\馐䄪ʨ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ᵐ広翹\ = "trayitem_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떸ꘪ䳹蠀김䄮ʨ\ = "trayitem_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떺꘨䷹蠀䀀\ = "trayitem_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\bpi_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떾꘬䯹鐀click	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\ᵐ広翹	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\\ = "trayitem_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\떾꘬䯹鐀click\ = "trayitem_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\馐䄪ʨ\ = "trayitem_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\trayitem_auto_file\shell\open\command	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3460	OpenWith.exe
4696	OpenWith.exe
2328	OpenWith.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
2604	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
3460	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
4696	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe
2328	OpenWith.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4456	2604	OpenWith.exe	101
PID 2604 wrote to memory of 4456	2604	OpenWith.exe	101
PID 3460 wrote to memory of 2516	3460	OpenWith.exe	105
PID 3460 wrote to memory of 2516	3460	OpenWith.exe	105
PID 4696 wrote to memory of 4044	4696	OpenWith.exe	109
PID 4696 wrote to memory of 4044	4696	OpenWith.exe	109
PID 2328 wrote to memory of 2280	2328	OpenWith.exe	120
PID 2328 wrote to memory of 2280	2328	OpenWith.exe	120

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Shack of Love 1.0.0.zip"
1⤵
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000203!0x04360b1106c55a86.bpi
  2⤵
  PID:4456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000103!0x04360b1106c55a86.bpi
  2⤵
  PID:2516

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000003!0x04360b1106c55a86.bpi
1⤵
PID:3620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000002!0x04360b1106c55a86.trayitem
  2⤵
  PID:4044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000002!0x04360b1106c55a86.bpi
1⤵
PID:4964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Shack of Love 1.0.0\0x00000000!0x04360b1106c55a86.blueprint
  2⤵
  PID:2280

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads