Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 15:51
Behavioral task
behavioral1
Sample
index.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
index.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Creal.pyc
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
Creal.pyc
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Creal.pyc
-
Size
108KB
-
MD5
827fee64b0b3073f98bd0c945081f337
-
SHA1
1bd490373e23f3db124f2049bf0081258b836139
-
SHA256
67c6aab3dc0f448c4b4de7c0fce857961e098986ccabb7c71fb9f48aef29aad2
-
SHA512
dd85c046bac960cfb4f2bb432ec5eee74e8fbfc48fbbb1727f9c140acf6fff2ff47ffb84828abf9ea470a2eb4216607f5ed062065345a1719f54d0780ab2fbc7
-
SSDEEP
3072:nV7MaNdUcd63LDAFT8+IiEssh00mH0PtZ8IKEDRc:aQUgW33Hlc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4812 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe 4812 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc1⤵
- Modifies registry class
PID:3036
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3296