Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:00
Behavioral task
behavioral1
Sample
Tropical External.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Tropical External.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stealer.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Stealer.pyc
Resource
win10v2004-20240508-en
General
-
Target
Stealer.pyc
-
Size
71KB
-
MD5
08efeae84deaffbb04080369bee72321
-
SHA1
64b8d052041de22e1027bad19b8d50493e2bb467
-
SHA256
6f97d33c902c8b561de53d8fede0e088ea1bc190fbdca5dbf1b7e42d7c62b5e7
-
SHA512
737e6dd9a3c8319e995fc5f391fee2f67ec665d40244d6fc323e1a22dfb5c2e06d0234b0a742acd5deae3aee1d84685fb92519561d5b7c5c7c859edb809e3f61
-
SSDEEP
768:T2zHKg6S6tRXI4MX6SfeD86FHL1WYG1htXTx8fPMBaS1XCZ0AnjtBnrQL4Yuhtb:T2zH76tRXIzJ6WP/xB4S1uF5FrKs
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4512 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 744 OpenWith.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
OpenWith.exepid process 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe 744 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 744 wrote to memory of 4512 744 OpenWith.exe NOTEPAD.EXE PID 744 wrote to memory of 4512 744 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stealer.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Stealer.pyc2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵