Analysis
-
max time kernel
138s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:42
Behavioral task
behavioral1
Sample
IncognitoReborn.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
IncognitoReborn.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
w4sp-v2-4.pyc
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
w4sp-v2-4.pyc
Resource
win10v2004-20240611-en
General
-
Target
w4sp-v2-4.pyc
-
Size
45KB
-
MD5
9416bd3645986392c2926fd29d324674
-
SHA1
8d4baadec5e349faab47c012a14c3f902baf6476
-
SHA256
4ab8668d8ca06cdfabf44231bb6a5ab8c18429522955117ff55c881d93409cfa
-
SHA512
6e1c0c479c0244a8ff706ae4ed47c8d630d8cd4e96a6a87db76a0b1d0d64c3137c72f5afcfb85371cfad6bdbc8d51a8d6c84fb72262645491c24cf2186d0b61b
-
SSDEEP
768:i9CYRCJJsXH9rtx/iat10gH3zVo/wfEqBzL1jMmSIhX9UzBQFYCH50kITCes95ZI:AcJsXH9JQw10gjWofECzLVSmeyFL0CZI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\.pyc OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1796 OpenWith.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
OpenWith.exepid process 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe 1796 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1796 wrote to memory of 4608 1796 OpenWith.exe NOTEPAD.EXE PID 1796 wrote to memory of 4608 1796 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\w4sp-v2-4.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\w4sp-v2-4.pyc2⤵