9c13b909a8cab5f51b911cd5ec54163cd28a3446b6d752260941dec06fa2bf92

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

skuller.pyc
Size

1KB
MD5

a12d16f4c8110c7389ed37ccd69570c4
SHA1

d30117d84372625ad6627729ff40fd35bbe86561
SHA256

7d7af8a2663d7fc14552ff90e07e9ef109b1f5a60d2a0f8e086bae564cac358c
SHA512

fd759be430d7e896a0dc4cf9693d06b2f121a20b87d627db3ab42b029cc9f6a5b6a628c0577e79d7ea9ade34afccdf7aa234458a3ee9d875c5c8b7eadaadd888

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
920	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	OpenWith.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe
3180	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 920	3180	OpenWith.exe	89
PID 3180 wrote to memory of 920	3180	OpenWith.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\skuller.pyc
1⤵
- Modifies registry class
PID:1264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\skuller.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads