Analysis
-
max time kernel
104s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:17
Behavioral task
behavioral1
Sample
BestXineMenu.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
BestXineMenu.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
BestXineMenu.pyc
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
BestXineMenu.pyc
Resource
win11-20250619-en
General
-
Target
BestXineMenu.pyc
-
Size
163KB
-
MD5
3a781a9745da359b6ee096a46b9b88f2
-
SHA1
2caa2e247fbea7a7dd0198fb935ae8bad8b7dc1c
-
SHA256
1a826788af39091e06c80a4f9e0b82dd9ee568ee274db0f5ecdd4e2cfc2833ac
-
SHA512
e82d6bf6a89c5d1de062dcb3be71fe107b84a913d7d0e63c40626acb3159c904405b7e8daf891d0c1353daedad678683323e543a4f97951f3b28d9629e54248c
-
SSDEEP
3072:o0eKl30EzFrUprsWVZpYTr9fArM6c8iBaI3W5xdCxqITQcSVtopak:o0eKFpru7VZpQArMt86aF1k/Tutoak
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5064 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2084 OpenWith.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe 2084 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2084 wrote to memory of 5064 2084 OpenWith.exe 101 PID 2084 wrote to memory of 5064 2084 OpenWith.exe 101
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc1⤵
- Modifies registry class
PID:1480
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BestXineMenu.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:5064
-