Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:24

General

  • Target

    main.pyw

  • Size

    90KB

  • MD5

    634363e3508dc76dc9df5b57c9835911

  • SHA1

    73249efd62db5c5b5c19910c1786bff04d09b0ec

  • SHA256

    8b4dfdc5e60efea6a655ae48430ddb6f3656e6b7a5742a57f4716101a0778bf7

  • SHA512

    ad1b3b8d0b6869c9e7ae38d78410786f75e2fd509b8d4e226ac1330748fa2a533c1f5dc2d6c1d24900b64736b32fb95b52cedf22084da3234bb1b8853bb48def

  • SSDEEP

    1536:r7YbOOvQ2L2iuKfGmBEJELs/RdKOK6aaXlIAVcnaaU5ufq6lvS17p4LqDE9vfcK9:rkqOvQFmBEJELs/vKO0vu7p4d98K51F

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyw
    1⤵
    • Modifies registry class
    PID:3480
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyw
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3232

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads