Analysis
-
max time kernel
95s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 23:58
Behavioral task
behavioral1
Sample
Exela.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Exela.exe
Resource
win10v2004-20240802-en
exelastealercollectioncredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealerupx
windows10-2004-x64
29 signatures
150 seconds
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Stub.pyc
-
Size
178KB
-
MD5
0b4619408057552e0dcee774b6cb8f65
-
SHA1
c364b60ddf2fd33a4368fa8f32ec50e8ff27b00d
-
SHA256
30e940d49ce4de6dac8c07b3c7a7253c6a3b41f7fdb7b177f5da6a00fca4b31a
-
SHA512
8772bbcf320e03e7f7157af4168d95c15ee0b719e4819307bc98b6cec7ca2c4ce624a400bf4f050bd64629ef5f821ee1437cc447b08aae9a6d739f817f0baec2
-
SSDEEP
3072:hPGcc+7r5FEj5S1njCuGTvO0K2ehnxVZ7uuG6ZX/jaVyNq8aZ9/eM6JxB3wluH+b:hPGa79eArZ2eRHjaVRpeDNl+b
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\.pyc OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4036 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3052 OpenWith.exe -
Suspicious use of SetWindowsHookEx 55 IoCs
pid Process 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe 3052 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4036 3052 OpenWith.exe 87 PID 3052 wrote to memory of 4036 3052 OpenWith.exe 87
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc1⤵
- Modifies registry class
PID:1604
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Stub.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4036
-