Overview
overview
10Static
static
100.exe.zip
windows7-x64
10.exe.zip
windows10-2004-x64
10.exe
windows7-x64
100.exe
windows10-2004-x64
10.data
windows7-x64
3.data
windows10-2004-x64
3.rdata
windows7-x64
3.rdata
windows10-2004-x64
3.reloc
windows7-x64
3.reloc
windows10-2004-x64
3.rsrc/BITMAP/103.bmp
windows7-x64
3.rsrc/BITMAP/103.bmp
windows10-2004-x64
7.rsrc/MANIFEST/1.xml
windows7-x64
3.rsrc/MANIFEST/1.xml
windows10-2004-x64
1.rsrc/MENU/102
windows7-x64
1.rsrc/MENU/102
windows10-2004-x64
1.rsrc/version.txt
windows7-x64
1.rsrc/version.txt
windows10-2004-x64
1.text
windows7-x64
3.text
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 09:26
Behavioral task
behavioral1
Sample
0.exe.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0.exe.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
0.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
0.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
.data
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
.data
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
.rdata
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
.rdata
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
.reloc
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
.reloc
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
.rsrc/BITMAP/103.bmp
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
.rsrc/BITMAP/103.bmp
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
.rsrc/MANIFEST/1.xml
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
.rsrc/MANIFEST/1.xml
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
.rsrc/MENU/102
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
.rsrc/MENU/102
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
.rsrc/version.txt
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
.rsrc/version.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
.text
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
.text
Resource
win10v2004-20240802-en
General
-
Target
.reloc
-
Size
2KB
-
MD5
0997c172bb70dafb06dd0d5f220b8ef6
-
SHA1
b101e5b21ca18127584725fc3d875e1e31f260bf
-
SHA256
df1ae66a3d747156c00913596a4313eb8814fb627b21c424d3cb8baa257e27db
-
SHA512
a92d3ab2db442ff0a0c8c87ca2ac21dbac34bd355807a107942fcd02c4e8bf2a4e4746dd743033f3d16be797bc9a8b5a5d9380c83361435482e41af2336c4e02
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3692 OpenWith.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
OpenWith.exepid process 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 3692 wrote to memory of 4792 3692 OpenWith.exe NOTEPAD.EXE PID 3692 wrote to memory of 4792 3692 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\.reloc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.reloc2⤵