Overview
overview
3Static
static
1pycryptoco...t__.py
windows7-x64
3pycryptoco...t__.py
windows10-2004-x64
3pycryptoco...sn1.py
windows7-x64
3pycryptoco...sn1.py
windows10-2004-x64
3pycryptoco...ric.py
windows7-x64
3pycryptoco...ric.py
windows10-2004-x64
3pycryptoco...tes.py
windows7-x64
3pycryptoco...tes.py
windows10-2004-x64
3pycryptoco...dsa.py
windows7-x64
3pycryptoco...dsa.py
windows10-2004-x64
3pycryptoco...ors.py
windows7-x64
3pycryptoco...ors.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...int.py
windows7-x64
3pycryptoco...int.py
windows10-2004-x64
3pycryptoco...ist.py
windows7-x64
3pycryptoco...ist.py
windows10-2004-x64
3pycryptoco...pto.py
windows7-x64
3pycryptoco...pto.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...pes.py
windows7-x64
3pycryptoco...pes.py
windows10-2004-x64
3pycryptoco...ion.py
windows7-x64
3pycryptoco...ion.py
windows10-2004-x64
3pycryptoco...ffi.py
windows7-x64
3pycryptoco...ffi.py
windows10-2004-x64
3pycryptoco...pes.py
windows7-x64
3pycryptoco...pes.py
windows10-2004-x64
3pycryptoco...ity.py
windows7-x64
3pycryptoco...ity.py
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
pycryptoconf-1.0.6/pycryptoconf/__init__.py
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
pycryptoconf-1.0.6/pycryptoconf/__init__.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
pycryptoconf-1.0.6/pycryptoconf/_asn1.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
pycryptoconf-1.0.6/pycryptoconf/_asn1.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
pycryptoconf-1.0.6/pycryptoconf/_asymmetric.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
pycryptoconf-1.0.6/pycryptoconf/_asymmetric.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
pycryptoconf-1.0.6/pycryptoconf/_cipher_suites.py
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
pycryptoconf-1.0.6/pycryptoconf/_cipher_suites.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
pycryptoconf-1.0.6/pycryptoconf/_ecdsa.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
pycryptoconf-1.0.6/pycryptoconf/_ecdsa.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
pycryptoconf-1.0.6/pycryptoconf/_errors.py
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
pycryptoconf-1.0.6/pycryptoconf/_errors.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
pycryptoconf-1.0.6/pycryptoconf/_ffi.py
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
pycryptoconf-1.0.6/pycryptoconf/_ffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
pycryptoconf-1.0.6/pycryptoconf/_int.py
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
pycryptoconf-1.0.6/pycryptoconf/_int.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
pycryptoconf-1.0.6/pycryptoconf/_linux_bsd/trust_list.py
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
pycryptoconf-1.0.6/pycryptoconf/_linux_bsd/trust_list.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto.py
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_cffi.py
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_cffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_ctypes.py
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_common_crypto_ctypes.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation.py
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_cffi.py
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_cffi.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_ctypes.py
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_core_foundation_ctypes.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
Resource
win10v2004-20240226-en
General
-
Target
pycryptoconf-1.0.6/pycryptoconf/_mac/_security.py
-
Size
4KB
-
MD5
9a0c114a584ec065f536b35856d68009
-
SHA1
06652a8827f88381aa08d52d34a106e2ebc9405f
-
SHA256
736e33e95128b0142b20ef00c628a1718f12ac253e6ebc73c2f29cd438abec3f
-
SHA512
3acab0a2aed6221b010c993f4b186221f153057b3ce5c771dbe5476086d5d7b216bf9180f530eb1bc763fce3bbfd7617cbdef7b1d1085a95181afd7bed30e4b4
-
SSDEEP
96:6rCvLnLPmKGFE/E976qnOPYjKN6vLEyPw:6Gl/o76qOP2LHPw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1700 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 1700 AcroRd32.exe 1700 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1812 wrote to memory of 2568 1812 cmd.exe rundll32.exe PID 1812 wrote to memory of 2568 1812 cmd.exe rundll32.exe PID 1812 wrote to memory of 2568 1812 cmd.exe rundll32.exe PID 2568 wrote to memory of 1700 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 1700 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 1700 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 1700 2568 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py1⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\pycryptoconf-1.0.6\pycryptoconf\_mac\_security.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52ee667f25432d17ff360946251f97b35
SHA1445ebbc8cd46e01d68e076bf45bdafc6c413ea5c
SHA256446e9843c3a398025aa5704da1060c71a8ca7afb8278bda8004763a5a274390b
SHA512b0e2c0fbfcc71407981b2895a57df70f5cca5d2ffdac6ef8e1cb4414af588d5a97e8196f33c67a6a722bf559efecda52228ca701dcde3bcd090a289aed5518bb