6995e33cf3c6078ad21fa9f5dccb03cc8a12a27953768cf85ecab1ddce1852a7

Resubmissions

03/05/2024, 20:03 UTC

240503-ysqa8aeb6z 10

Analysis

max time kernel
1558s
max time network
1565s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 20:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

depot_228990/MFGW.app/Contents/Resources/lib/python3.9/copyreg.pyc
Size

4KB
MD5

c230208a8cb6c60dfaf9645d025420cf
SHA1

f6c3bc477f1093d934d362bb2324212a2156d3b7
SHA256

a556aa69410d75d8cf4658ad3a5566fb22d28c74bf5f5ce45d54d9bba04c408a
SHA512

3dc6fdc08b55599c55e86e87c4c3b9a9f232574e65a92309ec65ae18281057a3dcc9429a125e1b8614d60edfbd9cef4f4702d3395cef5a36d927fb2ca4b103d9
SSDEEP

96:HiiU3NlLHfjZN9xiOtktpErU2qsxbl4fqm5vJYHjmTvP+H3TPa:b6bHfBt2UP5WfhtJYHjmTn+H3TPa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2972	AcroRd32.exe
2972	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1932	2468	cmd.exe	29
PID 2468 wrote to memory of 1932	2468	cmd.exe	29
PID 2468 wrote to memory of 1932	2468	cmd.exe	29
PID 1932 wrote to memory of 2972	1932	rundll32.exe	30
PID 1932 wrote to memory of 2972	1932	rundll32.exe	30
PID 1932 wrote to memory of 2972	1932	rundll32.exe	30
PID 1932 wrote to memory of 2972	1932	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\copyreg.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\copyreg.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\copyreg.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1ae7654b1fbea9f5236444d79ccb20dd

SHA1
febdfdfff6ac5b5d5e635ee3edc5ac2fd56ce172

SHA256
df8edd7352f7dd774a93f88749bf425f01dfcdd6b2395d36fb9c9042ed57068f

SHA512
7a7b10889831402297d66b83ffcf7c1586069e4ae1c03f955a1603741d87fec6b4b5dc854ed4ac85f7aa439f969aef8ed6c64072ad11d5862911b6f1bd99c02b

Download Submit