31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
299s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-03-2023 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plugin_vba_routines.py
Size

973B
MD5

d1fa73e4a982ca72b8a334e350b9c73d
SHA1

bbc623631a9d11728e092095a88ec777d6c4929b
SHA256

766e89a98c22207a9c10892525d42b2577edc50040152da073ce3964c4064d8f
SHA512

9e14e3542a4d46746f827c57b8d83eccb626b633e47c72bde310842139eed99a8e366c54f391dd47d83711e68b4cacc724903f891429607d172493ddc360ee20

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\py_auto_file	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1628 AcroRd32.exe
1628 AcroRd32.exe
1628 AcroRd32.exe

pid	process
1628	AcroRd32.exe
1628	AcroRd32.exe
1628	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1132 wrote to memory of 1428	1132	cmd.exe	rundll32.exe
PID 1132 wrote to memory of 1428	1132	cmd.exe	rundll32.exe
PID 1132 wrote to memory of 1428	1132	cmd.exe	rundll32.exe
PID 1428 wrote to memory of 1628	1428	rundll32.exe	AcroRd32.exe
PID 1428 wrote to memory of 1628	1428	rundll32.exe	AcroRd32.exe
PID 1428 wrote to memory of 1628	1428	rundll32.exe	AcroRd32.exe
PID 1428 wrote to memory of 1628	1428	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\plugin_vba_routines.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\plugin_vba_routines.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\plugin_vba_routines.py"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads