50e36d96cb593c39afa2fc11ac25c976f0ff1586159d2eb2626902e6d6062f81

Analysis

max time kernel
248s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lib/Crypto/Cipher/ARC2.pyc
Size

6KB
MD5

a3d07514942e51b4bcc43c1d6e3d52d1
SHA1

569b90cb9dcd5d3f9ff8305cb7105eec3c64610b
SHA256

65e1a0d0d04f5ded83fbe937dfd8ce226426026383a508a214ff7e10a89ec6c1
SHA512

7b79e5f25d8398da86d2a438962d694a936e5996fdf483234369f660cc6c0f7d382cf791a787a88a1080a8fd52bde399a7ed3cf952bf2f1581b4def89fc85b03
SSDEEP

96:31vDVsusiGQ/uwh5KPGdmpmmynGdtLAvEjIcgBzlYk0vfUgggMy:31vsFErjmpmmynGdtcAfUZqcgggR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2496	2700	cmd.exe	29
PID 2700 wrote to memory of 2496	2700	cmd.exe	29
PID 2700 wrote to memory of 2496	2700	cmd.exe	29
PID 2496 wrote to memory of 2468	2496	rundll32.exe	30
PID 2496 wrote to memory of 2468	2496	rundll32.exe	30
PID 2496 wrote to memory of 2468	2496	rundll32.exe	30
PID 2496 wrote to memory of 2468	2496	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lib\Crypto\Cipher\ARC2.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lib\Crypto\Cipher\ARC2.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lib\Crypto\Cipher\ARC2.pyc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f98cefdbd37b4ea85d7188c3013c731e

SHA1
2329e6fe90c3d4c2ef7b0c85bf50b1a4bad8b5bd

SHA256
692891709daa4a4cdb133da9a037bb9927ad9506aec8fb8da1c23cad6edde525

SHA512
b0378c39503f8d98568375fd3393e1c80f0e664089377253d440ec2f751aa5d05b7da876c52e5777d26e2c8280474dc5585830bdb5493ac9c58a0340790dd2b5

Download Submit