956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
Size

4KB
MD5

9a0c114a584ec065f536b35856d68009
SHA1

06652a8827f88381aa08d52d34a106e2ebc9405f
SHA256

736e33e95128b0142b20ef00c628a1718f12ac253e6ebc73c2f29cd438abec3f
SHA512

3acab0a2aed6221b010c993f4b186221f153057b3ce5c771dbe5476086d5d7b216bf9180f530eb1bc763fce3bbfd7617cbdef7b1d1085a95181afd7bed30e4b4
SSDEEP

96:6rCvLnLPmKGFE/E976qnOPYjKN6vLEyPw:6Gl/o76qOP2LHPw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1700 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

1700 AcroRd32.exe
1700 AcroRd32.exe

pid	process
1700	AcroRd32.exe

pid	process
1700	AcroRd32.exe
1700	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1812 wrote to memory of 2568	1812	cmd.exe	rundll32.exe
PID 1812 wrote to memory of 2568	1812	cmd.exe	rundll32.exe
PID 1812 wrote to memory of 2568	1812	cmd.exe	rundll32.exe
PID 2568 wrote to memory of 1700	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 1700	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 1700	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 1700	2568	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2ee667f25432d17ff360946251f97b35

SHA1
445ebbc8cd46e01d68e076bf45bdafc6c413ea5c

SHA256
446e9843c3a398025aa5704da1060c71a8ca7afb8278bda8004763a5a274390b

SHA512
b0e2c0fbfcc71407981b2895a57df70f5cca5d2ffdac6ef8e1cb4414af588d5a97e8196f33c67a6a722bf559efecda52228ca701dcde3bcd090a289aed5518bb

Download Submit