d85ac4e30467fd331cb3c129a33396e438250710d710ee2637cc9b16778def1d

Resubmissions

02/09/2024, 09:05

240902-k19g6swhpj 3

02/09/2024, 09:04

240902-k1q1tsxfqc 3

Analysis

max time kernel
17s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main1.exe.py
Size

1KB
MD5

7c6211f2ff430db322cefa73cc2e9bd4
SHA1

a7104974a070c6df4c74f467bc61893487fe8256
SHA256

d85ac4e30467fd331cb3c129a33396e438250710d710ee2637cc9b16778def1d
SHA512

b00a5a3951d7cd4354a9449d72e36c67f257daf58025a280e01bf44219157c3e32ec8de012e516807451afe0cbea3910953d4ca87783cc8d8aa42e001e1fdf9a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4536	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	OpenWith.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe
3116	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4536	3116	OpenWith.exe	97
PID 3116 wrote to memory of 4536	3116	OpenWith.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main1.exe.py
1⤵
- Modifies registry class
PID:3284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main1.exe.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...