39683e288e1052794d30c04455c0731c369a1efc2db61351f3f08959679cd579

Resubmissions

11/02/2024, 21:57

240211-1t9scsdg96 10

02/02/2024, 22:15

240202-16ah2ahbh8 10

02/02/2024, 22:07

240202-11pqrsghg7 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.pyc
Size

48KB
MD5

067f13649b2c6431ee07f56da4235c4b
SHA1

ff56d266068185eaf75a8c54d8e8c52e55bea436
SHA256

f6f7b18bcff6b517718151d6caf9930e5f33301a928e8d81dbe6354101c7cb58
SHA512

53b611fa3b6bab7a31134de700305ed1e8e89d6c488d6a04d2114052476ef5a4303efd9bcd3f23e315806672fe65b1834dc53bc8a78e8395d811007bba7a3956
SSDEEP

768:PpFnrAya7K+aTMdcmrVWwzO/phReWdXEXuGtz07VOZZ4GQmGw8jt4xMao3Q1:/rTaqMamgphoWdUeOPZZ4GQmGwWaoA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	AcroRd32.exe
2648	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2556	2220	cmd.exe	29
PID 2220 wrote to memory of 2556	2220	cmd.exe	29
PID 2220 wrote to memory of 2556	2220	cmd.exe	29
PID 2556 wrote to memory of 2648	2556	rundll32.exe	30
PID 2556 wrote to memory of 2648	2556	rundll32.exe	30
PID 2556 wrote to memory of 2648	2556	rundll32.exe	30
PID 2556 wrote to memory of 2648	2556	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Creal.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Creal.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
21abc3adc2b0a21f8330a8fe604fe7b0

SHA1
4c5455b25d912b6a69ace73ccf03e3b26b0719df

SHA256
ff67d36faf2bd15c239372d1f225166764de03f84005c78ed963bc00a1cf5782

SHA512
f9928347a0f4781971fd0e8d154a9ae063628f053e91abf77eac0231dda7c1824b10c982c9fc462c1beef2066627cb02e7e086af8dcdde30b4841ba750e2255b

Download Submit