Analysis
-
max time kernel
175s -
max time network
177s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-08-2024 07:05
Behavioral task
behavioral1
Sample
source_prepared.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
source_prepared.pyc
Resource
win11-20240802-en
General
-
Target
source_prepared.pyc
-
Size
50KB
-
MD5
e58da0bbef9355f009ff86bf7809cc14
-
SHA1
9e22a02329aec26661eacbd96fbb99eba82350d2
-
SHA256
f8539465a14dab031915858b8126a6479534d415e39b484d34cf831e6a781baa
-
SHA512
6c7adb48263a5d50a6fdce5a3ea4dae30b6b7017610d23020f196d8b66c990b12ca7dab4997b7d5ffaeb327e9c624497fa79d7070b22eeea37936baa6ac92c56
-
SSDEEP
768:HmIqlgJ+8L6r9RNQzJjmlTFcYb1cMpu2RFpq94WUNfAoDBU6kjJFSq:GBgQdN+ETFRpFFzAodkXz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
Modifies registry class 4 IoCs
Processes:
OpenWith.execmd.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Winword.exepid process 4576 Winword.exe 4576 Winword.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4188 OpenWith.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
OpenWith.exeWinword.exeOpenWith.exeOpenWith.exepid process 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4188 OpenWith.exe 4576 Winword.exe 4576 Winword.exe 4576 Winword.exe 4576 Winword.exe 4576 Winword.exe 4576 Winword.exe 692 OpenWith.exe 3600 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4188 wrote to memory of 4576 4188 OpenWith.exe Winword.exe PID 4188 wrote to memory of 4576 4188 OpenWith.exe Winword.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Modifies registry class
PID:2040
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:692
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3600