Overview

overview

3

Static

static

1

remoteaccess.pyw

windows11-21h2-x64

3

Analysis

  • max time kernel
    1732s
  • max time network
    1479s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-08-2024 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    remoteaccess.pyw

  • Size

    2KB

  • MD5

    6cb04fe62b0ddf9cdb853f6f1ac17ea7

  • SHA1

    a5be1de55524c10d54f233a06b59bc269a6ef7af

  • SHA256

    309f31b44abac52231b009adddd15239491a78f816864f9f330ac5a3d23416f3

  • SHA512

    4308593317411bfb853f420f1a5adc46aac8fe42cc4397833c7c8ddb8159457f6e7fb59a9d0e7364e9496ca17867b6a93aed5c2405574e3583ff976629b11837

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\remoteaccess.pyw
    1⤵
    • Modifies registry class
    PID:3172
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files\Microsoft Office\root\Office16\Winword.exe
      "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\remoteaccess.pyw"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    16B

    MD5

    d29962abc88624befc0135579ae485ec

    SHA1

    e40a6458296ec6a2427bcb280572d023a9862b31

    SHA256

    a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

    SHA512

    4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    Download Submit

  • memory/2024-0-0x00007FFE6C090000-0x00007FFE6C0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-3-0x00007FFE6C090000-0x00007FFE6C0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-4-0x00007FFE6C090000-0x00007FFE6C0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-2-0x00007FFE6C090000-0x00007FFE6C0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-1-0x00007FFE6C090000-0x00007FFE6C0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-5-0x00007FFE694F0000-0x00007FFE69500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-6-0x00007FFE694F0000-0x00007FFE69500000-memory.dmp

    Filesize

    64KB

    Download