58a5177dd04daf84d6794e32f3ae73b418b2d0bce5d296496302715446c21143

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

portablemc-4.0.1/portablemc/cli/lang.py
Size

13KB
MD5

92ea71701762f366eb0c7609b1736aeb
SHA1

c4e6ad98c9f3c10246f8597065fdd4877791c6e9
SHA256

6e3e01639dfcc1252e261a64a00ae26a57d6686522e1ca906e6c6477a4326059
SHA512

d406c258afb86c627a9c1c04b5da89eb6669c3555038d8fd07a71ca965f581c6bbb9d9350b1676d2d5e5ce23bc8c8f8dc9dfa45dc41643ccfa4879590e93d5bc
SSDEEP

384:44y4Bw27NVTveqS2K8PMwn2ZTI3jWZyIa:44y4+QTveqS2vkwCIoa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\py_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2668	AcroRd32.exe
2668	AcroRd32.exe
2668	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2968	2064	cmd.exe	29
PID 2064 wrote to memory of 2968	2064	cmd.exe	29
PID 2064 wrote to memory of 2968	2064	cmd.exe	29
PID 2968 wrote to memory of 2668	2968	rundll32.exe	30
PID 2968 wrote to memory of 2668	2968	rundll32.exe	30
PID 2968 wrote to memory of 2668	2968	rundll32.exe	30
PID 2968 wrote to memory of 2668	2968	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\portablemc-4.0.1\portablemc\cli\lang.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\portablemc-4.0.1\portablemc\cli\lang.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\portablemc-4.0.1\portablemc\cli\lang.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2b61abcbd24d2f966403431b547216cc

SHA1
cd8fda976e8243fb8ecb4a34e238efa2f5d35e37

SHA256
d7cdb3b4de12abab8dcd32c49f735c835f286a380a341e33d9892f36f8831419

SHA512
6c915ae6b58cf9de2fe88f48d16a128b00bd3597c81caee7e9aadc7f969bd6714e0670fa8c8a0e94c357377ad507f0cbce0019cde371b7ad564e7f49104676bf

Download Submit