Overview

overview

10

Static

static

10

666 Executor.exe

windows11-21h2-x64

7

main.pyc

windows11-21h2-x64

6

Resubmissions

12/10/2024, 10:25

241012-mf821swbjf 10

12/10/2024, 10:24

241012-mfpy5szgjr 10

12/10/2024, 10:23

241012-me1n9azfrj 10

12/10/2024, 10:21

241012-mdxafawajc 10

12/10/2024, 10:18

241012-mcd3gavhmb 10

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/10/2024, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.pyc

  • Size

    7KB

  • MD5

    9809e60cbdca68d072a80251b3a93c6c

  • SHA1

    3c79f419fab6e1ae20f1635bcbae8df6221ede47

  • SHA256

    01d442089838b2d3d581899e8e0929a476f5e656142e8fb3ea4c3c9da8c6ffff

  • SHA512

    b6de1323ae2f83cba24f96ebb8bd5a13a9da21087ca24e8b58b1c006bac7cd9e2f9663ce5441e8a2b3e10ad7e9a1c538d37dcc1e426790ddd3720b0b3daa8792

  • SSDEEP

    192:wo9+uqD8sTqKWdXwK3LD3IbzmJhwb05cFMdwTcTNTL2nw:b+udKWuKUzK2b05cFPTqliw

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 41 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
    1⤵
    • Modifies registry class
    PID:752
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:6084
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\main.pyc"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5644
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5800
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          4⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:5956
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    384KB

    MD5

    62394a137b3beedeb892ed80924de40c

    SHA1

    fdb8c9cd6bbe15fe618b68e016fa14a59625b767

    SHA256

    25cce33207ccb0728526e27e43d9a0b2c761f40028fa47e6e77cbf8098747f2f

    SHA512

    380d75c568c54952468fcbc7dbbb698300174cbe9680ee8818c1534c8fec991ecbe0dcfccac678def9e7284bcb599eb455cda69bfb4caff087093ed19d8722eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    48b426758a49202457948b0902829913

    SHA1

    37c0582aed5b5cd874dc15e844b51bc95772934c

    SHA256

    34aa1554e3f1d3d3930da25baf9085bcb144252b9c66a2b8955a6d54ff7989f9

    SHA512

    e5f46122295255d315242461e97b4f334502f150e242d1934603ea8f65e888b5507f12bfebdfac76d199661554d58d07f87be4600f7365c8317dc9b47962a866

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    5433eab10c6b5c6d55b7cbd302426a39

    SHA1

    c5b1604b3350dab290d081eecd5389a895c58de5

    SHA256

    23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

    SHA512

    207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    17af36a6e1e8aa5b05cee4448dee96a4

    SHA1

    2107428e74f56ba255289a6a7327c9a182c66137

    SHA256

    564ca6c48e53d6348d8535dab655fad03b8a79bd63f78242a1eff736aaaeb357

    SHA512

    8e4646645e86d5f49af73b4da9d867887e30118fbf4fb0215e90bbe1b82a988cfdda2139c4146e9943929870480fa7d163be08ad9a04cbe548f07fde297ee755

    Download Submit

  • memory/5644-38-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-40-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-42-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-43-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-41-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-39-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-44-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-45-0x0000000009700000-0x0000000009710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5644-37-0x00000000070F0000-0x0000000007100000-memory.dmp

    Filesize

    64KB

    Download