0ecfa9e9370f383a669aad9db9a28109c24226496b519e7383713c7c1deaf861

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-03-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chronos/src/utils/__pycache__/fuckAccount.cpython-310.pyc
Size

854B
MD5

6d6ebc9c24ed94c3b9000e534f79a1e5
SHA1

ca230838f83d09467a92ffed4016cedc24f12af0
SHA256

e8f1a3c1d4b9f60bf3597f5d9dbabb41e1b621d8ab086c1e869fe41138ce1897
SHA512

a5447f6f0055a735a07d720ca5685565fa68bdb06f0a2860b0e3feb566e4e03478ab544f6a4e7666cc9920dce6269f7c8d12aba01924242ae7c1d5d77db696b8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2648 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2648 AcroRd32.exe
2648 AcroRd32.exe

pid	process
2648	AcroRd32.exe

pid	process
2648	AcroRd32.exe
2648	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1776 wrote to memory of 2740	1776	cmd.exe	rundll32.exe
PID 1776 wrote to memory of 2740	1776	cmd.exe	rundll32.exe
PID 1776 wrote to memory of 2740	1776	cmd.exe	rundll32.exe
PID 2740 wrote to memory of 2648	2740	rundll32.exe	AcroRd32.exe
PID 2740 wrote to memory of 2648	2740	rundll32.exe	AcroRd32.exe
PID 2740 wrote to memory of 2648	2740	rundll32.exe	AcroRd32.exe
PID 2740 wrote to memory of 2648	2740	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Chronos\src\utils\__pycache__\fuckAccount.cpython-310.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Chronos\src\utils\__pycache__\fuckAccount.cpython-310.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Chronos\src\utils\__pycache__\fuckAccount.cpython-310.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2648

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
ea8f7e0a6dc6b4cfce3d053a945ee70b

SHA1
62ff26c4b224c00bcfe580ff4cc6a955a02f4622

SHA256
363347dd68d9533f320d67e8fc85e05dfd655964e083f62e749fb1c5e35d18be

SHA512
0040671c6a7486a62e9da9c49c73e7c770fe2c9ddea2a51c1f3f969e3646328049c287d3811dcb695593fa2cfc8251e79e6720ec3814f9f4f35f0f24bacd968f

Download Submit