Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:24
Behavioral task
behavioral1
Sample
main.pyw
Resource
win10v2004-20250619-en
6 signatures
150 seconds
General
-
Target
main.pyw
-
Size
90KB
-
MD5
634363e3508dc76dc9df5b57c9835911
-
SHA1
73249efd62db5c5b5c19910c1786bff04d09b0ec
-
SHA256
8b4dfdc5e60efea6a655ae48430ddb6f3656e6b7a5742a57f4716101a0778bf7
-
SHA512
ad1b3b8d0b6869c9e7ae38d78410786f75e2fd509b8d4e226ac1330748fa2a533c1f5dc2d6c1d24900b64736b32fb95b52cedf22084da3234bb1b8853bb48def
-
SSDEEP
1536:r7YbOOvQ2L2iuKfGmBEJELs/RdKOK6aaXlIAVcnaaU5ufq6lvS17p4LqDE9vfcK9:rkqOvQFmBEJELs/vKO0vu7p4d98K51F
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3232 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 372 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe 372 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 372 wrote to memory of 3232 372 OpenWith.exe 93 PID 372 wrote to memory of 3232 372 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyw1⤵
- Modifies registry class
PID:3480
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyw2⤵
- Opens file in notepad (likely ransom note)
PID:3232
-