ec2e340b5acb84a94171cf79b5348c9b7456f8fea3dff08ab64ecd068fc06d23

Analysis

max time kernel
189s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/lookup/__pycache__/aws_secret.cpython-311.pyc
Size

14KB
MD5

0f6af884c94de899752b6e868ba6242c
SHA1

bc7579a8be4377ad83f8d9e5895418a8569a5542
SHA256

2c0ab43f36089823c8bb62105fbbfdd2ab73383e4d17045b2606f6681872c6f6
SHA512

f0694cc5fb2266c9214059e4342f1216b6422f6474e83ecbef6b22ab9ecad9c661423aa9c0b8d48698ccd3711b089078b0bf52a7a1809cd2361b1936fa81b0a5
SSDEEP

192:JjAoHKRwsiZFNG1Q7YE2kDQlKfqtaKkNbCY/QV2XVeUVCLnFV3Wq8fP:J8YZFNG1Qf2kdfqQeo02XAUmnYP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1204	AcroRd32.exe
1204	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2760	2668	cmd.exe	29
PID 2668 wrote to memory of 2760	2668	cmd.exe	29
PID 2668 wrote to memory of 2760	2668	cmd.exe	29
PID 2760 wrote to memory of 1204	2760	rundll32.exe	31
PID 2760 wrote to memory of 1204	2760	rundll32.exe	31
PID 2760 wrote to memory of 1204	2760	rundll32.exe	31
PID 2760 wrote to memory of 1204	2760	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\lookup\__pycache__\aws_secret.cpython-311.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\lookup\__pycache__\aws_secret.cpython-311.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\lookup\__pycache__\aws_secret.cpython-311.pyc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
49d528467121427507b0e1e1017a93e4

SHA1
638e8a56977d8c140bf16b0454b98e23a70296db

SHA256
b04b9917fbb3ac5ad1a9609a5656cec47909cae3661abfe281b4c531972b7810

SHA512
a3eb82031f551e6d8afc28d8b16e4c6d4657aa6c976cbb99bc57ce4846722adb7453e4f8982178099c2c01d0a6adcf22d384b61406f52fec6ab85804ef44e494

Download Submit