8005aeec19f9465dc8827dce6d0ac8c8edcc25ce64bd7b351c45813efd964430

General

Target

4.py
Size

5KB
MD5

b9cdac3f9cb33324f0f0a423f60abeb3
SHA1

ad6fd136f40a2c76367f594ffbbd002db963206a
SHA256

8005aeec19f9465dc8827dce6d0ac8c8edcc25ce64bd7b351c45813efd964430
SHA512

dfca5d102db01d3363ff7d31869b5b1f1ed14b2f06e76a6629fbcac00b1dd4dfa76aef56c33cf6b937e487324d366b3527d5bdc59730a44236084638a176f7d4
SSDEEP

96:5S6XkwVafqhi8FIHzKLshSi/ffb8ulXfFj7Ef/Hms7evZxCX:5S6jVaci8FIHzKLsz8gp8ye

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

pid process

1740 AcroRd32.exe
1372 AcroRd32.exe
2884 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2720 AcroRd32.exe

pid	process
1740	AcroRd32.exe
1372	AcroRd32.exe
2884	AcroRd32.exe

pid	process
2720	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2152	AUDIODG.EXE
Token: 33	2152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2152	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exeAcroRd32.exe

pid process

2720 AcroRd32.exe
2720 AcroRd32.exe
2720 AcroRd32.exe
2884 AcroRd32.exe
2884 AcroRd32.exe

pid	process
2720	AcroRd32.exe
2720	AcroRd32.exe
2720	AcroRd32.exe
2884	AcroRd32.exe
2884	AcroRd32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

cmd.exerundll32.execmd.exe

description	pid	process	target process
PID 2652 wrote to memory of 2680	2652	cmd.exe	rundll32.exe
PID 2652 wrote to memory of 2680	2652	cmd.exe	rundll32.exe
PID 2652 wrote to memory of 2680	2652	cmd.exe	rundll32.exe
PID 2680 wrote to memory of 2720	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2720	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2720	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2720	2680	rundll32.exe	AcroRd32.exe
PID 604 wrote to memory of 1740	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1740	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1740	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1740	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1372	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1372	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1372	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 1372	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 2884	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 2884	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 2884	604	cmd.exe	AcroRd32.exe
PID 604 wrote to memory of 2884	604	cmd.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:500

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1740

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1372

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "F:\4.py"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "F:\4.py"
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1a7003e986e72c933d86dc3af3c03432

SHA1
3eaf12d546b785f478b486ab068f2790e44e233f

SHA256
e50181da8f6f75a5ac32af2599db35b6327af2868e3c979c6ae39fb86f033926

SHA512
ba1dae9876b8f62a2cc5f59c6a46408323040cd9b9acf54be385e930ca92db3f86b09c4dfdb0cf8e087e8bb3d5fb2c0e931032bea03f7b4c9ff09e9b376cd5a5

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin

Filesize
70KB

MD5
8a4ac03151d32a8b50a8a9de78bc2e30

SHA1
cc50ef0acdc93dd1e6a74de1ce463906e74b5a8c

SHA256
723959d317a8cf3d06eb8a62ba288a7d1032f00fbecff540b56f0b72555b97e5

SHA512
5f7b726e05fb2fcf2a4f3422925fdf850b27e9fa5a331981059f19fa4a55f133a4d7904f14d0147dd873a918bb607a5da34ce0aef652ed197170de0efb8cac2b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads