80ee928d1c9395b8d4ab1fa21461dcbd561a1b15eb88f23be1d528460268be39

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealer.pyc
Size

71KB
MD5

08efeae84deaffbb04080369bee72321
SHA1

64b8d052041de22e1027bad19b8d50493e2bb467
SHA256

6f97d33c902c8b561de53d8fede0e088ea1bc190fbdca5dbf1b7e42d7c62b5e7
SHA512

737e6dd9a3c8319e995fc5f391fee2f67ec665d40244d6fc323e1a22dfb5c2e06d0234b0a742acd5deae3aee1d84685fb92519561d5b7c5c7c859edb809e3f61
SSDEEP

768:T2zHKg6S6tRXI4MX6SfeD86FHL1WYG1htXTx8fPMBaS1XCZ0AnjtBnrQL4Yuhtb:T2zH76tRXIzJ6WP/xB4S1uF5FrKs

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4512 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

744 OpenWith.exe

pid	process
4512	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

OpenWith.exe

pid	process
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe
744	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description pid process target process

PID 744 wrote to memory of 4512 744 OpenWith.exe NOTEPAD.EXE
PID 744 wrote to memory of 4512 744 OpenWith.exe NOTEPAD.EXE

description	pid	process	target process
PID 744 wrote to memory of 4512	744	OpenWith.exe	NOTEPAD.EXE
PID 744 wrote to memory of 4512	744	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stealer.pyc
1⤵
- Modifies registry class
PID:3064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Stealer.pyc
2⤵
- Opens file in notepad (likely ransom note)
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads