af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ftpcrack.pyc
Size

31KB
MD5

7dec2a4693aff97a3c69a1bb6ec1fc5e
SHA1

bda38c25002ed785261343c7e1e085e2fa01e977
SHA256

fbd502647a65b3d2b1d654be47073f375cb67d49cedd516b80516dbd9c4bcc63
SHA512

d735d3ddfa942392d6982eb20621e0301bdd62dd1e804d4240c18945f886ad2ea50378cd15ae8fadb9d38b70743ad3f2e2c8e3daa82988595460e18c8a8e60dc
SSDEEP

768:m64+MyRk4o7v8Q0xqhtzZlryFu1KGxf6POOUExMTpKUcc9dDObS:m64+Rji8FxqnZlryFQhh6PbUEK9Ks91H

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2640 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2640 AcroRd32.exe
2640 AcroRd32.exe

pid	process
2640	AcroRd32.exe

pid	process
2640	AcroRd32.exe
2640	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2060 wrote to memory of 2268	2060	cmd.exe	rundll32.exe
PID 2060 wrote to memory of 2268	2060	cmd.exe	rundll32.exe
PID 2060 wrote to memory of 2268	2060	cmd.exe	rundll32.exe
PID 2268 wrote to memory of 2640	2268	rundll32.exe	AcroRd32.exe
PID 2268 wrote to memory of 2640	2268	rundll32.exe	AcroRd32.exe
PID 2268 wrote to memory of 2640	2268	rundll32.exe	AcroRd32.exe
PID 2268 wrote to memory of 2640	2268	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ftpcrack.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2640

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
019cb7e82254f54fad7f13e34f40438a

SHA1
6e43f65c951fef9d14970b78727bfae4a3910f8c

SHA256
7c461fbf23c497dacade09544a8783829f8ec45a39a7b2c8364c9fa9d7f72253

SHA512
4aba9457ec0889d28c148d8bccfaeacef617a39d379ddc2a831d00affd1a3aa5f6addc7beee21f5d39cb8a13e88a0ccc1e47d2f8cb422769c739c12917f30fa5

Download Submit