e14e2cc6853f1fff20086236eb4d576ed71db795e15c3148c22dd1e6ae4b8f90

Analysis

max time kernel
164s
max time network
69s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/__pycache__/tags.cpython-311.pyc
Size

2KB
MD5

a5124e9f6c7f571ee053f75881d8c6b4
SHA1

4377116394990884d4728184a7748613bca7ac4b
SHA256

c36216a4932f8b377d42e02a3b3af67282b1c70ec002abf4b3296a46a25ff8eb
SHA512

c3e477456ed9a883fc456fe933a300e18acf29f802c2046c19de3467d78cc7183487a2bcd0788830f218ca5f81c5fef69fe7dd2d59457384e1b02b15c1808cf7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1708	AcroRd32.exe
1708	AcroRd32.exe
1708	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2456	2576	cmd.exe	31
PID 2576 wrote to memory of 2456	2576	cmd.exe	31
PID 2576 wrote to memory of 2456	2576	cmd.exe	31
PID 2456 wrote to memory of 1708	2456	rundll32.exe	32
PID 2456 wrote to memory of 1708	2456	rundll32.exe	32
PID 2456 wrote to memory of 1708	2456	rundll32.exe	32
PID 2456 wrote to memory of 1708	2456	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\tags.cpython-311.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\tags.cpython-311.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\usr\lib\python3.11\site-packages\ansible_collections\amazon\aws\plugins\doc_fragments\__pycache__\tags.cpython-311.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
58c1b3a201505d4093c16390ea84593f

SHA1
37e8857c909fa0bd2cc2f70a3d63985d183e919e

SHA256
4793cc4546a03c0973189d85c773e87c0a19eed679139b9b4b279fd14b5392fc

SHA512
b8b117b5ee105ae42556ae7f74b138b5d4abfc55923cd520cac9039b07860509d3922abffdce166918c5b0c9cc525b2043fa6cc9ab8000ec4c4bf73fe89475d0

Download Submit