01e38e52035112609c5b5630a116aa4d7395b4a0859533afdff18d525228185c

Analysis

max time kernel
38s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gusnabo.pyc
Size

32KB
MD5

30868f3b74e81f564aff3a4d18314b48
SHA1

84f08f784808d881434af14cc98f7bb5a46b6ef2
SHA256

3e86aeed09b78f79e8b0782134dfd62e56c854b042eedcbef7ac105402934e90
SHA512

d659b2c070a1408b7d6d90cfeb7ba04b3b99807235fad43de8012034f7bc8c78d04e4d40a78fa70ad16a8c0dfbd9c3fc8d0e3ceb0d9df22738b1b8bac8d6b5f8
SSDEEP

768:L83nrm2VsfNEiyAuAfKFMrRtfqtvEwS7bnjerAroaHDsIAvN8YC06X:I3r0e3aKFcfDwS7fOPviYD6X

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2832	2068	cmd.exe	29
PID 2068 wrote to memory of 2832	2068	cmd.exe	29
PID 2068 wrote to memory of 2832	2068	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Gusnabo.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Gusnabo.pyc
  2⤵
  - Modifies registry class
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...