Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 20:39
Behavioral task
behavioral1
Sample
SILENT - Bypass Alt Detection.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SILENT - Bypass Alt Detection.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
silent_obf_1028352774414549072_47468be2-b0e9-4037-b339-f535d489dcf4.pyc
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
silent_obf_1028352774414549072_47468be2-b0e9-4037-b339-f535d489dcf4.pyc
Resource
win10v2004-20241007-en
General
-
Target
silent_obf_1028352774414549072_47468be2-b0e9-4037-b339-f535d489dcf4.pyc
-
Size
268KB
-
MD5
a5eb12635497dd0cc9bb32f6a4568a67
-
SHA1
0ac5108813391b7bd83427d7f39a7d5081bd1de9
-
SHA256
1a951bc2ab693fb61aac1f7df260010610008ec67d2b3bfca5d408e86b22ba3b
-
SHA512
9d603b57e58aa03384963ec859f62e23c70195193840fe7e9623c929915755ee4a69a17a3d08b54f231346d4012b470ccdb5337afa9d88701a22c8050767e056
-
SSDEEP
6144:jAQ0lx3x1Qim59Rv5bSZeHIyaCA9P3zQB7T+egjonNvG8VY3m8ooMtScktcusPbi:MDLB1Qim5995b+eHIy/A13zQB7T+egj7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.pyc OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\pyc_auto_file\shell\open OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1660 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe 1660 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1660 wrote to memory of 4800 1660 OpenWith.exe NOTEPAD.EXE PID 1660 wrote to memory of 4800 1660 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\silent_obf_1028352774414549072_47468be2-b0e9-4037-b339-f535d489dcf4.pyc1⤵
- Modifies registry class
PID:3332
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\silent_obf_1028352774414549072_47468be2-b0e9-4037-b339-f535d489dcf4.pyc2⤵PID:4800