a4fcf33920d72da4ddab4987526feb5e9671935e2265ced20d4ac795c2c8a2cb

Analysis

max time kernel
297s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

python-mysqldb-2.4.tar.gz
Size

130KB
MD5

935d7aa15b51e425233a8026a161d7ac
SHA1

3c78274c799d5e9bf2cc19ccf61cd6cc784a2b70
SHA256

a4fcf33920d72da4ddab4987526feb5e9671935e2265ced20d4ac795c2c8a2cb
SHA512

b067d886bec866cefe9d87cfcc910da71df0cc7e73c3a727beea52a6304faade9c343289c3fedd5a5c948df17a5943cff9dce32b3ecef1b15a6ed91ae3384fd5
SSDEEP

3072:pIfpNI2MBr1cvF5w0BOjS+rzkpqkPMstnZ3M4ABGOQdvaL9U1fvPrZtzoLvDuqJ2:tvDuqJffLxVSgE29xxspm0niivuz3bXk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1596	7zFM.exe
Token: 35	1596	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1596	7zFM.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1596	1428	cmd.exe	89
PID 1428 wrote to memory of 1596	1428	cmd.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\python-mysqldb-2.4.tar.gz
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\python-mysqldb-2.4.tar.gz"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads