Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 12:49
Behavioral task
behavioral1
Sample
TokenGen.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TokenGen.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
TokenGen.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TokenGen.pyc
Resource
win10v2004-20240221-en
General
-
Target
TokenGen.pyc
-
Size
3KB
-
MD5
e918327d5a721d0be2b9eb5120fde9e0
-
SHA1
2951b7a21bc5d708b7d04517f491490eaaa4b0a2
-
SHA256
cdcbaf746361226ef823876715b1fa9e0bccb2c5d087d90ac8bf752b19ad5664
-
SHA512
89e86e7ba3fdd5f2ce030c80997cc9d67d6d878f4793f15c78d1f20a3f26afb0c4d99d0f48d6ba1e995cfe4de659b67c8d0e7172468d4ce9c61352720a1948e9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2700 AcroRd32.exe 2700 AcroRd32.exe 2700 AcroRd32.exe 2700 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2948 2832 cmd.exe 29 PID 2832 wrote to memory of 2948 2832 cmd.exe 29 PID 2832 wrote to memory of 2948 2832 cmd.exe 29 PID 2948 wrote to memory of 2700 2948 rundll32.exe 30 PID 2948 wrote to memory of 2700 2948 rundll32.exe 30 PID 2948 wrote to memory of 2700 2948 rundll32.exe 30 PID 2948 wrote to memory of 2700 2948 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TokenGen.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5742a0592b65ebfa368b9b85c8e716a41
SHA1f6aba211cc6a8522111b93d451544bed4ab50906
SHA256d16c699e94b19da0392e14df75fcde33a31e8890b68e20ed83b3ca042500c484
SHA5129fa0f385e573d188ed427a584a15d2671b6c54ad121b7959f9e913abc8258606e8deda7d7f3d0a0eb5859f9045545ed877672e9dd8357323a1f6ee294c30f74c