Overview

overview

3

Static

static

3

main.pyc

windows10-1703-x64

3

Resubmissions

04-07-2024 11:35

240704-np9kkswerm 3

04-07-2024 11:31

240704-nmx4rsydjf 7

Analysis

  • max time kernel
    76s
  • max time network
    79s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-07-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.pyc

  • Size

    29KB

  • MD5

    2de02059dad05e477fb8f68f896b9ce5

  • SHA1

    d2082b6e2c3c6413de373f3c42f0bf6111ac8e68

  • SHA256

    23a88b36c2e0007b3a4302b85710b86218d855cb86cb5a7359abe9279390b7cd

  • SHA512

    850b80ba6cd0d3979c032508a2d921a18dda2bf69230dba34919a848545f215be26bc51c18794cde395a36a427e5ec047ad478a9f712f1cf25184c4d20d4a868

  • SSDEEP

    384:IuD/4xagpBYfVw2JXEMihJMG2EELZawSUwIVuzdHJt2xjnMd7YIPt6eE:IuDsafVJJUMi0nEELswLwUidCwYot8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
    1⤵
    • Modifies registry class
    PID:2168
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2944
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.0.602109719\75805395" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {413524fc-d043-45af-9e5c-e877e05903fd} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 1796 1feb0fd8a58 gpu
        3⤵
          PID:364
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.1.1616514712\202672209" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be4b7708-f324-41c8-baf4-5026a07b41c2} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 2140 1fe9ec72b58 socket
          3⤵
            PID:2188
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.2.2062373001\1159814320" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 3004 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1adfad-6055-4857-8a80-3e3f288c27d8} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 2940 1feb50aa458 tab
            3⤵
              PID:2980
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.3.1612311762\1884439498" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3468 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff68e105-8ff8-47e4-b656-99f02c31953f} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 3500 1fe9ec62858 tab
              3⤵
                PID:1424
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.4.1317130193\367924006" -childID 3 -isForBrowser -prefsHandle 4436 -prefMapHandle 4408 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa5b040c-5578-43b2-b5ab-5acea82e46d5} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 4448 1feb6197858 tab
                3⤵
                  PID:2884
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.5.145135742\555652839" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd08668d-b8a2-4fc5-9cec-502bed4ba0bb} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 4920 1feb7691158 tab
                  3⤵
                    PID:2068
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.6.1244281242\206077326" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c99681f-cd2f-4f8c-aa6a-eaa564a77db1} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 5060 1feb7692958 tab
                    3⤵
                      PID:4772
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4536.7.1846718084\1881606289" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ea5f34a-9f86-4563-b9e3-217cbbed6e32} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" 5248 1feb7692f58 tab
                      3⤵
                        PID:4324

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    25KB

                    MD5

                    70ed953ceabc140a1b29ed79f044c466

                    SHA1

                    c38a12ef3c09e3cb9afa45bdb5d61600f7fe23bd

                    SHA256

                    c8cf7146961fcc8ab24a9342fc4e1f36bb6ee7dff75ba9fb6d61c3bc93df7583

                    SHA512

                    4522bd12d9341a411ee792eb466fc74f5eb77e5ad4f2e1d34ba7c7bf21e5fcb4409460bb193b12df818f9ca0bba9c3aed5dfcddcaecb7f1cbd0fd670b76ac3a3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    7KB

                    MD5

                    c460716b62456449360b23cf5663f275

                    SHA1

                    06573a83d88286153066bae7062cc9300e567d92

                    SHA256

                    0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                    SHA512

                    476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    f01fa9c19b6b59553efecfc21d26f2d0

                    SHA1

                    2c9c202a2225ccb8e011fa13bf7a438778e993a2

                    SHA256

                    3960ea6477007579058e5b318ec62b1a86334965f4b2a30fe3abe2313c12a9e7

                    SHA512

                    619c67c5faf278825fc8353951a0147a4674d603b0a7bebdbc9bea10adf4b1479a827628492c856dc6fed6240fe3552ed968accae6eede76d5bf21c626d236da

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\4803437b-707e-412c-b7dc-2abbbbb38e79
                    Filesize

                    746B

                    MD5

                    3206c7eec9cb54af7c1b62a5eb7c53a2

                    SHA1

                    89cce596d081071f4c48894aa4658fa1e157446e

                    SHA256

                    db61e5c0790a4fa775241456fdb3c0631cf4022917e393ab25ab622efbc20bcb

                    SHA512

                    1f0a26d317f293a0a5673a2d90c682949fe479f26ccf93a6f4d1e52efa9aadacd8aceafb9bea001a9b159e0670ba811e2012d3649d47ae183fed1f3ba9c5f56f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\916615a7-2f22-4894-8c9d-4b88709df26c
                    Filesize

                    10KB

                    MD5

                    639f5ab48c9ca096ca6c3e61e26da8f2

                    SHA1

                    5b99a68bf53c6eab2dee6ad724f67bd323fa6488

                    SHA256

                    8cb028fbf935fa218be9a520cc9a0c3745db321d35d51f59bf4e5f9ec637db6a

                    SHA512

                    8e427cf08f4371899c2d170859ef5aea2f768a2f1af5918e142497a110d0d88ab174ec75b3f9c7ba6a0534e1ea5d934e76e3a259a95bc1f1b6888cfa45d60367

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    095d3b85bd62d1fe57060b73fba5ea14

                    SHA1

                    0eb2d3cac1b497e7e2ad53f4dea97da3a504871d

                    SHA256

                    0d45ad74b53f74dcdc17a196f20d14efa400d2620f9f0ee40465083df4ce0858

                    SHA512

                    8eca5010e4993bc16e25602972ff7550b07b9678769e9f6aae7286f24509593b52e1e4cf4e2c5952b9e3b89bd0a50fcc2188d24eb18336050119b17a3c033568

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    997471d6886b1cffd8f9bc2605666aba

                    SHA1

                    bf57aff3c7b55d1447d9d284e8c2fc75511bbb9c

                    SHA256

                    5ddacd41708391310058278489b3e0297d9d198952579263601542082ffa4bf3

                    SHA512

                    d1b1b03f7958559ac2a38cf7b3fce85f0cd1e180cd6c7e1207ad5f75ea0f64948a0ea8b3359046dae7155780182d17ef69fb2ed2f9da98ceb7c32b648e3f74ce

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    af34f6862b481256b2c029f9ec52547f

                    SHA1

                    163328c0950900bd7fc62474cb2bf6f790239b23

                    SHA256

                    da0ad3b4108d0ce9a3888cd2658682b34e5f6feb6d1bd0b6184ea3beba82240f

                    SHA512

                    59db1066ab6e9b7c17df7554307268a4de39d408be6f33af891f6d8685ad25813ac5eca5759f00a663fda695ca2f342ef1e7f2b6a4e323a23641525feca8da1f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    cc6b5616af535ed4592e1d2db967a087

                    SHA1

                    a70a1781e0a337dadcf32f544b3498a9f8de2992

                    SHA256

                    c1a2fe1ec6b1da9cf306fc0be3848ae6f8e7f45d56fffd638eab46e301775158

                    SHA512

                    ea3fd9555017ea29d7d54f303e62146a968ecb36c7dc764f07ab8cb82239956da0bf2a51ad8e1c48213f679cc3cffe1871798852783bcf4ae617d613ece50157

                    Download Submit