f98956db2a2d9acb0f50488c4e48efd3e6a28f876f8d8c1c13c2b5a0adf01a07

Analysis

max time kernel
274s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1_FastTokenGen/util/__pycache__/pluggins.cpython-312.pyc
Size

3KB
MD5

4e4d8cf0d3385c08949deb8eb8e6a0d0
SHA1

e0bb75cbe330be9d567f5b699f324f9c7509fd1f
SHA256

3d8e1cfe0cb14cf9ce248840ff374e198d934742f0be6f0955c6e200ed5fbe55
SHA512

db156665caa4ff34776a4b0e80f27387c3dc5772b7108a896608a30e5700eb5de7958e01ae3a174d91a4757f45664cce50954edb3d49d10bcf1dfc78fa69dea5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2236	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	OpenWith.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2236	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 2236	5100	OpenWith.exe	97
PID 5100 wrote to memory of 2236	5100	OpenWith.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1_FastTokenGen\util\__pycache__\pluggins.cpython-312.pyc
1⤵
- Modifies registry class
PID:1600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1_FastTokenGen\util\__pycache__\pluggins.cpython-312.pyc
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads