af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
11-08-2023 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ftpcrack.pyc
Size

31KB
MD5

7dec2a4693aff97a3c69a1bb6ec1fc5e
SHA1

bda38c25002ed785261343c7e1e085e2fa01e977
SHA256

fbd502647a65b3d2b1d654be47073f375cb67d49cedd516b80516dbd9c4bcc63
SHA512

d735d3ddfa942392d6982eb20621e0301bdd62dd1e804d4240c18945f886ad2ea50378cd15ae8fadb9d38b70743ad3f2e2c8e3daa82988595460e18c8a8e60dc
SSDEEP

768:m64+MyRk4o7v8Q0xqhtzZlryFu1KGxf6POOUExMTpKUcc9dDObS:m64+Rji8FxqnZlryFQhh6PbUEK9Ks91H

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2092 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2092 AcroRd32.exe
2092 AcroRd32.exe
2092 AcroRd32.exe

pid	process
2092	AcroRd32.exe

pid	process
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2796 wrote to memory of 2612	2796	cmd.exe	rundll32.exe
PID 2796 wrote to memory of 2612	2796	cmd.exe	rundll32.exe
PID 2796 wrote to memory of 2612	2796	cmd.exe	rundll32.exe
PID 2612 wrote to memory of 2092	2612	rundll32.exe	AcroRd32.exe
PID 2612 wrote to memory of 2092	2612	rundll32.exe	AcroRd32.exe
PID 2612 wrote to memory of 2092	2612	rundll32.exe	AcroRd32.exe
PID 2612 wrote to memory of 2092	2612	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2092

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
d4ab428dc44e28b07b4b0686916ff390

SHA1
69e53bcdb3f98fe536ab1824a2d8e85118b8c3f9

SHA256
db26e875d6d8d9ef9410d0ad9d3a4e85bded95ac2cae6e3ca487d03710137e0e

SHA512
91c3d13c8ab770da41addd48b76ed0d17b71338c1c4079fa6ed023e6d2ac0ed84e34b18e426f931fe137356ebf5f4b771f9c3d2e00a77ec51c1facc905d498fa

Download Submit