aea7f1ebba6370b23ae460ed08c526319893c53cddd0a221d7f74cd06ef1c3ff

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat.py
Size

18KB
MD5

f6cd24f67e09cf948abf277def13393d
SHA1

e7bc43d5fadad14bbd35ba38c28acac4c653bd70
SHA256

aea7f1ebba6370b23ae460ed08c526319893c53cddd0a221d7f74cd06ef1c3ff
SHA512

aee87b7803fcb296241b0276239e913e9fcca1c963c5cc8168e946566bb401c23316ed1841bbf24868804642ac445568272896fea9fd072f114cd21606843375
SSDEEP

384:geyTCS8fLEZL4ldNL9cfXkfBIk7kEwtDkmS:ge+Z8fLEZL4ldNL9cfXk+k7kttDkmS

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703630735689142"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\py_auto_file\shell\edit\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\꽍䐒਀耀	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a0031000000000029594a6d100053797374656d33320000420009000400efbe874f774829594a6d2e000000b90c0000000001000000000000000000000000000000c1e87400530079007300740065006d0033003200000018000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
912	NOTEPAD.EXE
4980	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3500	OpenWith.exe
912	NOTEPAD.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
912	NOTEPAD.EXE
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
912	NOTEPAD.EXE
912	NOTEPAD.EXE
912	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 912	3500	OpenWith.exe	97
PID 3500 wrote to memory of 912	3500	OpenWith.exe	97
PID 4356 wrote to memory of 3664	4356	chrome.exe	108
PID 4356 wrote to memory of 3664	4356	chrome.exe	108
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 1136	4356	chrome.exe	109
PID 4356 wrote to memory of 2984	4356	chrome.exe	110
PID 4356 wrote to memory of 2984	4356	chrome.exe	110
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111
PID 4356 wrote to memory of 2000	4356	chrome.exe	111

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\rat.py
1⤵
- Modifies registry class
PID:3852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\rat.py
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\rat.bat" "
1⤵
PID:3752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\rat.py
1⤵
- Opens file in notepad (likely ransom note)
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8b96bcc40,0x7ff8b96bcc4c,0x7ff8b96bcc58
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4424,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,4747610606174971603,1588880689185666740,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3680

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3e78b48d2796eb53ead0476e259fba7e

SHA1
1e8909ffd8f27825b0f41416262861f06fbe4fd1

SHA256
12421c248aea30fd307df34198ba4b21b32fa86ce7c1702bd4a3c9db636506ca

SHA512
125ed3c37216388b55b5eef3950e4a45f4d05619def6be65614da2b68a3c91def5154768317f63b61bc563fa0b95175c995b6899196033d77e3e22734f10baa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1e93b03b88af89472e2cbe9aed352f84

SHA1
fcc52d29f92c31ae85821f77bf1cf30d9e9fc84f

SHA256
02e96eef7e56d26783f64a8ac88a96c99a28c0378553f8fead1eea5e40c73ccd

SHA512
8dd55eac87497b98063e468b0d1169c0b14ca6e366695cd2558794cb97b9e187e0e2556fdbcd73f295bb1615658780f4d59a59bafe611fba46986b2e11bb84de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e49f4827031014086585b8af005fcaff

SHA1
795789ff51bf8a17ff6ab693149eeca4a16bcf57

SHA256
e2989cadb46102e66c0e9097b31dafc0190884820502968f655a7697eb95d623

SHA512
3423b5932453ba84252d43d92ec8fdd39430af0154e750d86ae9705ec917bdbb0341d1f18348fea33cc205eb586070fda5a63f2e8fb9547fc66778a88b9eee31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
001072d8319dcfdf3603bfcf88ee5387

SHA1
7359b2b60cc8ba383ce28e509269b9b8ab1b717e

SHA256
f00b9682d22d22349b212ef7e27af044b312761d8d88dfeebf9bfddf2ee98bb2

SHA512
1d1db434679dd96f273abd0f3f512d5d9abe0677c23b089b3cb8092906619343b1bd8682f70c09dc9c4fa9f301ffe7bb03bbbd690a641cd8cd4d479f331d31a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e4e24a5d260b839c29678a2cdc9d790c

SHA1
0b99627c45c7c32f0e4de1ec94ea46e369f61f3f

SHA256
3499a30e5c6845fb59e59c8b636d47c998a02e4ff71442fc67ef8610911f112f

SHA512
8923307ab9489f4db775c909e635595889e2ad67cfa00d35a2b485b2f99e7b657fc83f132b596b5b46c389d61375571fa8bc4700a3e7c412b9418a913e63a05c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
fa5dce933fd4e163714f3bddacefdd7f

SHA1
4737740c1334fddd90e26f6edf26ba03a4f35bba

SHA256
6f6534de572a2ac40c29d550ebdd427b3268345fd9d73dfd885a9de3075f6b44

SHA512
b0de4244758242d1f4f25b819d50be5f626963ecb93bdfa4c25c8266393f4d4560f9d04c7c68a11c037ac11d9e74677081c8726737d17b62d7f0c0dfa9a951e4

Download Submit
C:\Users\Admin\Downloads\rat.bat

Filesize
18KB

MD5
f6cd24f67e09cf948abf277def13393d

SHA1
e7bc43d5fadad14bbd35ba38c28acac4c653bd70

SHA256
aea7f1ebba6370b23ae460ed08c526319893c53cddd0a221d7f74cd06ef1c3ff

SHA512
aee87b7803fcb296241b0276239e913e9fcca1c963c5cc8168e946566bb401c23316ed1841bbf24868804642ac445568272896fea9fd072f114cd21606843375

Download Submit