31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
300s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-03-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plugin_vba_dco.py
Size

2KB
MD5

77e69457bb1aed6bbbdbc4d6ad1adc3e
SHA1

d60593a12f2ca2f394a8d3c55b24d912dea7b4b0
SHA256

d0b385f64c596fea19d21cc64daf38d60d10973d08dc2ab56f2ea65d35d4cf85
SHA512

4d19c7cfe828597df44bc0594396d4e6ec85bbae271a5b2273aadb43e856f2a2fd23409e7a2a5308160ae6a0b5f99891c3c41c209ce09e97dbc2c073002c0017

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

268 AcroRd32.exe
268 AcroRd32.exe
268 AcroRd32.exe

pid	process
268	AcroRd32.exe
268	AcroRd32.exe
268	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2000 wrote to memory of 1152	2000	cmd.exe	rundll32.exe
PID 2000 wrote to memory of 1152	2000	cmd.exe	rundll32.exe
PID 2000 wrote to memory of 1152	2000	cmd.exe	rundll32.exe
PID 1152 wrote to memory of 268	1152	rundll32.exe	AcroRd32.exe
PID 1152 wrote to memory of 268	1152	rundll32.exe	AcroRd32.exe
PID 1152 wrote to memory of 268	1152	rundll32.exe	AcroRd32.exe
PID 1152 wrote to memory of 268	1152	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\plugin_vba_dco.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\plugin_vba_dco.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\plugin_vba_dco.py"
3⤵
- Suspicious use of SetWindowsHookEx
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads