Overview
overview
3Static
static
1pycryptoco...t__.py
windows7-x64
3pycryptoco...t__.py
windows10-2004-x64
3pycryptoco...sn1.py
windows7-x64
3pycryptoco...sn1.py
windows10-2004-x64
3pycryptoco...ric.py
windows7-x64
3pycryptoco...ric.py
windows10-2004-x64
3pycryptoco...tes.py
windows7-x64
3pycryptoco...tes.py
windows10-2004-x64
3pycryptoco...dsa.py
windows7-x64
3pycryptoco...dsa.py
windows10-2004-x64
3pycryptoco...ors.py
windows7-x64
3pycryptoco...ors.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...int.py
windows7-x64
3pycryptoco...int.py
windows10-2004-x64
3pycryptoco...ist.py
windows7-x64
3pycryptoco...ist.py
windows10-2004-x64
3pycryptoco...pto.py
windows7-x64
3pycryptoco...pto.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...pes.py
windows7-x64
3pycryptoco...pes.py
windows10-2004-x64
3pycryptoco...ion.py
windows7-x64
3pycryptoco...ion.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...pes.py
windows7-x64
3pycryptoco...pes.py
windows10-2004-x64
3pycryptoco...ity.py
windows7-x64
3pycryptoco...ity.py
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
pycryptoconf-1.0.6/pycryptoconf/__init__.py
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
pycryptoconf-1.0.6/pycryptoconf/__init__.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
pycryptoconf-1.0.6/pycryptoconf/_asn1.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
pycryptoconf-1.0.6/pycryptoconf/_asn1.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
pycryptoconf-1.0.6/pycryptoconf/_asymmetric.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
pycryptoconf-1.0.6/pycryptoconf/_asymmetric.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
pycryptoconf-1.0.6/pycryptoconf/_cipher_suites.py
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
pycryptoconf-1.0.6/pycryptoconf/_cipher_suites.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
pycryptoconf-1.0.6/pycryptoconf/_ecdsa.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
pycryptoconf-1.0.6/pycryptoconf/_ecdsa.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
pycryptoconf-1.0.6/pycryptoconf/_errors.py
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
pycryptoconf-1.0.6/pycryptoconf/_errors.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
pycryptoconf-1.0.6/pycryptoconf/_ffi.py
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
pycryptoconf-1.0.6/pycryptoconf/_ffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
pycryptoconf-1.0.6/pycryptoconf/_int.py
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
pycryptoconf-1.0.6/pycryptoconf/_int.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
pycryptoconf-1.0.6/pycryptoconf/_linux_bsd/trust_list.py
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
pycryptoconf-1.0.6/pycryptoconf/_linux_bsd/trust_list.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto.py
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_cffi.py
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_cffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_ctypes.py
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_ctypes.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation.py
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_cffi.py
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_cffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_ctypes.py
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_ctypes.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
Resource
win10v2004-20240226-en
General
-
Target
pycryptoconf-1.0.6/pycryptoconf/_errors.py
-
Size
1021B
-
MD5
f6c2835ff323e93ae5de6e648b2559ca
-
SHA1
a5c129c31c35c0babb2f519e6c242944b101d44f
-
SHA256
b64002a1bbb0d60793e2295f7361659ccbaf739b77037884f80126cb1b049e72
-
SHA512
5e14969ef514620afc9c7589348edfb36506e67f7dcec72b874b895e07c7b4a0ce6dd8e1ba08174483f9955432fa53ea59ab444bda08849e4dd29cb3306dcd71
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2712 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2712 AcroRd32.exe 2712 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1336 wrote to memory of 2588 1336 cmd.exe rundll32.exe PID 1336 wrote to memory of 2588 1336 cmd.exe rundll32.exe PID 1336 wrote to memory of 2588 1336 cmd.exe rundll32.exe PID 2588 wrote to memory of 2712 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2712 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2712 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2712 2588 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_errors.py1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_errors.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_errors.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5aff6b76600b09cfae1325af5b11fd490
SHA176ba0d88f4f43f3bb76596368b9eca700e5b7da1
SHA256ce1580e7de4aa9e310c45c4df82a28318f095ea4b2133bd7bab95587f35a6512
SHA5121e906eb19de0d4c0f7dc1432ea548102630a6054c18ac77a62393e5c7948e97df6234580d76c8e440463ffa54ddaebb66eb9d32730ebb8c22ec1a4fa6e2ea7c7