Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
11-08-2023 02:42
Behavioral task
behavioral1
Sample
Photo.scr
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ftpcrack.pyc
Resource
win7-20230712-en
General
-
Target
ftpcrack.pyc
-
Size
31KB
-
MD5
7dec2a4693aff97a3c69a1bb6ec1fc5e
-
SHA1
bda38c25002ed785261343c7e1e085e2fa01e977
-
SHA256
fbd502647a65b3d2b1d654be47073f375cb67d49cedd516b80516dbd9c4bcc63
-
SHA512
d735d3ddfa942392d6982eb20621e0301bdd62dd1e804d4240c18945f886ad2ea50378cd15ae8fadb9d38b70743ad3f2e2c8e3daa82988595460e18c8a8e60dc
-
SSDEEP
768:m64+MyRk4o7v8Q0xqhtzZlryFu1KGxf6POOUExMTpKUcc9dDObS:m64+Rji8FxqnZlryFQhh6PbUEK9Ks91H
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2956 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2956 AcroRd32.exe 2956 AcroRd32.exe 2956 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1912 wrote to memory of 2804 1912 cmd.exe rundll32.exe PID 1912 wrote to memory of 2804 1912 cmd.exe rundll32.exe PID 1912 wrote to memory of 2804 1912 cmd.exe rundll32.exe PID 2804 wrote to memory of 2956 2804 rundll32.exe AcroRd32.exe PID 2804 wrote to memory of 2956 2804 rundll32.exe AcroRd32.exe PID 2804 wrote to memory of 2956 2804 rundll32.exe AcroRd32.exe PID 2804 wrote to memory of 2956 2804 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5c42aebb40cff1aa61b1bcb11bdfde6b1
SHA10ec628caa64a56f532abc938e2dad187569c1803
SHA256c90cf4a604af304b1bfb6af62b71d875eb101e809ef1f96f3cdd97143bca3360
SHA51244f78d824bb738b14e69159385c4bfca417a2dbefd47df69348c1f0e4da8145b07a3444c0bdfabad57374bbfdda1f769b60ca50c8f3162e5a043b661cf0be471