Overview

overview

10

Static

static

10

ByfronBP.exe

windows10-2004-x64

7

main.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    106s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2025, 09:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.pyc

  • Size

    7KB

  • MD5

    9be288e160511cb7167db814b448fe97

  • SHA1

    3b0abc31f4cd3e719f0d680cb5d6fcca8eef5389

  • SHA256

    53ff3d0a5c6a1ed972adb415d7ddcaf666d3e0d55793f579923a758908ec64a7

  • SHA512

    c433a39e9db1e57783fe47c515e8b602693d1791882192c69b0f0189caa9f4137cf593eab21aa8e5762afc63fc3900826686f5823e32ed0d160b4c8486e5f868

  • SSDEEP

    192:wDRD4nD8HRhWdXw5sDtt8r6JhwCMdw2nw:QR8WPWu5g4+2CP2w

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
    1⤵
    • Modifies registry class
    PID:3020
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:2416

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3700CCD6F2AD69DE05A3D91DF31668EF; domain=.bing.com; expires=Wed, 06-May-2026 09:09:42 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E973FE1A871F417E94DACBAAB292CCC8 Ref B: LON04EDGE0922 Ref C: 2025-04-11T09:09:42Z
    date: Fri, 11 Apr 2025 09:09:42 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3700CCD6F2AD69DE05A3D91DF31668EF
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=0FZ-ED8EJfq5BdWV_AQOkFhEaH4H8p7wtLwpPskK1IY; domain=.bing.com; expires=Wed, 06-May-2026 09:09:42 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 42424A2490EC42CDBBF052520DB72BF3 Ref B: LON04EDGE0922 Ref C: 2025-04-11T09:09:42Z
    date: Fri, 11 Apr 2025 09:09:42 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3700CCD6F2AD69DE05A3D91DF31668EF; MSPTC=0FZ-ED8EJfq5BdWV_AQOkFhEaH4H8p7wtLwpPskK1IY
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5EC799ACCDCC4961AFB68C1B17413F57 Ref B: LON04EDGE0922 Ref C: 2025-04-11T09:09:42Z
    date: Fri, 11 Apr 2025 09:09:42 GMT
  • flag-gb
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.135.17:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=3700CCD6F2AD69DE05A3D91DF31668EF; MSPTC=0FZ-ED8EJfq5BdWV_AQOkFhEaH4H8p7wtLwpPskK1IY
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Fri, 11 Apr 2025 09:09:44 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.40367a5c.1744362584.24b77818
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.227
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.179.227:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 03 Apr 2025 14:18:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Fri, 11 Apr 2025 08:26:53 GMT
    Expires: Fri, 11 Apr 2025 09:16:53 GMT
    Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
    Age: 2631
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=daa8c45bf3f14188b27278f43c503a09&localId=w:CF4AB2A9-0B9A-0F31-C27E-2E5E1AB9FBB9&deviceId=6896214315131781&anid=

    HTTP Response

    204
  • 88.221.135.17:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     17
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 142.250.179.227:80
    http://c.pki.goog/r/r1.crl
    http
    476 B
     395 B
     6
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.227

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.