eb273057ebb2c9f46004ec2799f928250aa90f83b4da6397703f8bca3097c23c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

877KB
MD5

0306f2627a4661faa1171c020b9c9d7a
SHA1

9d82e7beb06c5e036f7c1ed4804dc9904f7a64cd
SHA256

3beb3a883626089b03ad671d9196286a987f1c15a618b8cd59b6b670ae0c47e7
SHA512

c82a90c6cbe6ba83895fae6183d70a622fa699b90a38fb0838e93b042d76b3803b4e3ab02278f28898a502183a723a3e134840bbfb2fd32da5d79ec2a0561a2d
SSDEEP

12288:jskDgMnjOazeHNHqrdcMj1X9zfrG7BsNMkyGgfXLmzVPg+Aos+1lcR3+kv:AanoIcoNzfr0BsNlmXSzVPg+Aob1lGv

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2660	AcroRd32.exe
2660	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2652	1992	cmd.exe	29
PID 1992 wrote to memory of 2652	1992	cmd.exe	29
PID 1992 wrote to memory of 2652	1992	cmd.exe	29
PID 2652 wrote to memory of 2660	2652	rundll32.exe	30
PID 2652 wrote to memory of 2660	2652	rundll32.exe	30
PID 2652 wrote to memory of 2660	2652	rundll32.exe	30
PID 2652 wrote to memory of 2660	2652	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
68799be7c3e8583b9ff7700b8248c759

SHA1
f57db1d16ddb900fd0da8e82db9552266160c411

SHA256
b01132434a3f85a3252dc8768d2d06ae373f98dc44a157260861825b6c0ca001

SHA512
0ab68b7d5aa5e906202fbebf5a772772ab6a2f81f79133082b10f072dc3bc127d92a7c553661ac0a48b920630e73f4cad7c7c417219386d0c73b7060acc14864

Download Submit