d21adb4e0938c18241d225748676e9f73c5a81210be881841b3b22c6e6abe9b4

Resubmissions

02/03/2025, 00:51

250302-a7g2dsysds 7

02/03/2025, 00:49

250302-a6r5zaymw2 10

02/03/2025, 00:48

250302-a5tx6syms4 3

01/03/2025, 11:30

250301-nmf59azrs3 10

Analysis

max time kernel
67s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2025, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

load.sh
Size

129B
MD5

b165b7f155810af7139dd707d2e151c9
SHA1

a49fe736dd310d0a64f3628c744c590fd7c43bdc
SHA256

d21adb4e0938c18241d225748676e9f73c5a81210be881841b3b22c6e6abe9b4
SHA512

8256ac2815b643527aae2410fa26a4179c22b793d028b402b2077fd57031e48f2457f6a07a6a0f53e479a3781ac466f248e58114dd38e35793ac3364e07a177c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5e00310000000000625a110610004e4557464f4c7e310000460009000400efbe625a1106625a11062e00000044ae020000001d0000000000000000000000000000003cc951004e0065007700200066006f006c00640065007200000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000515a8bac110050524f4752417e310000740009000400efbec5525961515a8bac2e0000003f0000000000010000000000000000004a0000000000e39c6500500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1000	OpenWith.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\load.sh
1⤵
PID:1756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads