f5dddac843617c7a738f2c776f0bc71c15fdafe3ea0f04c18277e77a3b4db4ea

Analysis

max time kernel
222s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/action/__pycache__/s3_object.cpython-311.pyc
Size

3KB
MD5

93af76b1998384d1ffd350791eec050d
SHA1

6c73d252ff5b5f7ae7faae16cbb4559891d62212
SHA256

f7d291b144ebf92479cf8fcd0729c95aefdb449774eee8f470c002560312f411
SHA512

fffce082fe591a468a36be83ddbc5044c0513328b7edf319cc2f538de1a51ae301a57e2560f99e3ad01f47359d10b98dced467a6b8ea695da97a7932dc93ecbc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2972	AcroRd32.exe
2972	AcroRd32.exe
2972	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2760	2308	cmd.exe	27
PID 2308 wrote to memory of 2760	2308	cmd.exe	27
PID 2308 wrote to memory of 2760	2308	cmd.exe	27
PID 2760 wrote to memory of 2972	2760	rundll32.exe	28
PID 2760 wrote to memory of 2972	2760	rundll32.exe	28
PID 2760 wrote to memory of 2972	2760	rundll32.exe	28
PID 2760 wrote to memory of 2972	2760	rundll32.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\action\__pycache__\s3_object.cpython-311.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\action\__pycache__\s3_object.cpython-311.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\action\__pycache__\s3_object.cpython-311.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a1611ca9cf7c8164dd0da7aa74706939

SHA1
a59059b6b38cc1da48897ecfee52686b49ba53b7

SHA256
22bb66e0e4de9633dfbf928b90d7eef8c2a1d30a253f4de0896cab81eb527873

SHA512
a40b31b922f4fe97cdcf4428ea99b00813836c0dd9727b939c9134b9ed929de5d3035d8de06656645087b367727fdecf2f86d1287a2d88da80d648a690833d5c

Download Submit