f5dddac843617c7a738f2c776f0bc71c15fdafe3ea0f04c18277e77a3b4db4ea

Analysis

max time kernel
177s
max time network
92s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/__pycache__/common.cpython-311.pyc
Size

12KB
MD5

a9922a4f9f02a327c567f3c490f1e154
SHA1

6ec9fd3c5c65ff2158b97b38ee638febf84c7d10
SHA256

8a7e96dd40482411aba150f4f5d6a7135836eb1b54ac5f707296f78be9d658c8
SHA512

2ff36b254fb0418b7f0afac0728b39a3234afbd5f4ca339c081afbc84ddc445b1f397d57c20ab1d206659c0c4e2180c476b61e27124661bee1df831b9c361f46
SSDEEP

192:wVO1X9YAKG6yOBAKi3DEzXzxeHOQl99aZGLImgOBwIQqLzXzxnzvoZ:wiwG66EjteZLQZGLImLjtzwZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1268	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2496	2500	cmd.exe	31
PID 2500 wrote to memory of 2496	2500	cmd.exe	31
PID 2500 wrote to memory of 2496	2500	cmd.exe	31
PID 2496 wrote to memory of 1268	2496	rundll32.exe	33
PID 2496 wrote to memory of 1268	2496	rundll32.exe	33
PID 2496 wrote to memory of 1268	2496	rundll32.exe	33
PID 2496 wrote to memory of 1268	2496	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\common.cpython-311.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\common.cpython-311.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\common.cpython-311.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3f82289f5613f89eacab27fd1b893c94

SHA1
3ae3ff0e421fe85839dbf46321bd7d7622b4241d

SHA256
fb0a2f4deefb9ab256bee688249213ae02d34d7b23dbd6ebb760dcea219bf7b7

SHA512
d304e42aee07cf46eefc1005cda1db583f1742d9cce9ee117ab7ac20884b35303aee8e308b7215064b632b374201a3addad180daee1dfd59f55e9f127bd482e8

Download Submit