Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 15:51
Behavioral task
behavioral1
Sample
index.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
index.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Creal.pyc
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
Creal.pyc
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Creal.pyc
-
Size
108KB
-
MD5
827fee64b0b3073f98bd0c945081f337
-
SHA1
1bd490373e23f3db124f2049bf0081258b836139
-
SHA256
67c6aab3dc0f448c4b4de7c0fce857961e098986ccabb7c71fb9f48aef29aad2
-
SHA512
dd85c046bac960cfb4f2bb432ec5eee74e8fbfc48fbbb1727f9c140acf6fff2ff47ffb84828abf9ea470a2eb4216607f5ed062065345a1719f54d0780ab2fbc7
-
SSDEEP
3072:nV7MaNdUcd63LDAFT8+IiEssh00mH0PtZ8IKEDRc:aQUgW33Hlc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1312 rundll32.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe 1312 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1312 1856 cmd.exe 31 PID 1856 wrote to memory of 1312 1856 cmd.exe 31 PID 1856 wrote to memory of 1312 1856 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Creal.pyc2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1312
-