37b9722dbf8684aadf2d6017942eae875a63bc668bb830c9ff063522bddbb8e5

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Piano Autoplay.pyc
Size

2KB
MD5

b6ddb2653dfc6ba812dd45e302884008
SHA1

624ce608e8d91833b496cfc85bb7f97d173740df
SHA256

0ec26c707f2979433a45c7a62254ba6fe83911d38bc8f5690f5d9ee2fa5e424b
SHA512

1bde963c6fde0d6006ad173274f40885fbc842fbc81f333f5b2e5fca6cd3129e9782b9e8dcd425c97cfd75e192c6be2be1a3694077adcef821266370e0aee5ab

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.pyc	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	AcroRd32.exe
2836	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2728	2188	cmd.exe	29
PID 2188 wrote to memory of 2728	2188	cmd.exe	29
PID 2188 wrote to memory of 2728	2188	cmd.exe	29
PID 2728 wrote to memory of 2836	2728	rundll32.exe	30
PID 2728 wrote to memory of 2836	2728	rundll32.exe	30
PID 2728 wrote to memory of 2836	2728	rundll32.exe	30
PID 2728 wrote to memory of 2836	2728	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Piano Autoplay.pyc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Piano Autoplay.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Piano Autoplay.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9acab443e8813b71252384660a65d90c

SHA1
ad3b47c53868a6b89c5cfe2dda836ec0c96b71bb

SHA256
24e602b22c1bc34a5e2d69df10cb111bc3733cd70f0e169c525a3da4e5e8c4fd

SHA512
c949d82b03881320f64553a9b3fa35afc53d7086ee4ce1b51507de978434499dff2c884b11c89f0305af8b46bc3698c4b7b9cc2eb86bbda628eb29292ad1eab4

Download Submit