Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08-07-2024 18:25
Behavioral task
behavioral1
Sample
BloodFMx64x.exe
Resource
win10-20240611-en
windows10-1703-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
Creal.pyc
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
Creal.pyc
-
Size
29KB
-
MD5
813e50b885df76bc8bd3af306f010d7a
-
SHA1
58a6091cf4915b90baf4625bc43738314d8bab60
-
SHA256
de51d25a95492d641355c32ee9ce0950500695aabbee0351960bca4aaef13a51
-
SHA512
28e67885b5440285a6984e924cb06beb26421d3d5b73571c8004be08bcb392d606d04c5ec8d8e5c6d461c5560299ddb278d3d0daf45febcbd09084abcedb5d87
-
SSDEEP
768:3+lVSjnrr2VsfNEiyAuMMIfznTZMdpV7ISrx5HQtvK17Cvr:30SDrfe3uzTZMB76K176r
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3132 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4500 OpenWith.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe 4500 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4500 wrote to memory of 3132 4500 OpenWith.exe 75 PID 4500 wrote to memory of 3132 4500 OpenWith.exe 75
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc1⤵
- Modifies registry class
PID:1768
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Creal.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:3132
-