6995e33cf3c6078ad21fa9f5dccb03cc8a12a27953768cf85ecab1ddce1852a7

Resubmissions

03/05/2024, 20:03

240503-ysqa8aeb6z 10

Analysis

max time kernel
1798s
max time network
1821s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

depot_228990/MFGW.app/Contents/Resources/lib/python3.9/csv.pyc
Size

11KB
MD5

2d52943b245e06e0d4df569e9669c4c8
SHA1

ffba6e3f5995b3e41835270866ebdef9183749c2
SHA256

95010db64347cdc791746f24e92898a82d4610569cec6534a06a4d55d380a2b0
SHA512

be39de45b446409d61087f73f869b69ec7592be7332560217db677a8f6177825bd00d762085263a730a019d2971f1c56873e4872d4cf70dde1560429cad9d8b8
SSDEEP

192:4Jj1+B8vo6S2lWRnrKzYWwjm2XSvXM2PlqOeXZ1MMJ5vMsX1jRCYAf:4JjdQ6S2lIrKgLXCXM2wM85Rsf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	AcroRd32.exe
2524	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2760	2308	cmd.exe	31
PID 2308 wrote to memory of 2760	2308	cmd.exe	31
PID 2308 wrote to memory of 2760	2308	cmd.exe	31
PID 2760 wrote to memory of 2524	2760	rundll32.exe	32
PID 2760 wrote to memory of 2524	2760	rundll32.exe	32
PID 2760 wrote to memory of 2524	2760	rundll32.exe	32
PID 2760 wrote to memory of 2524	2760	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\csv.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\csv.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\csv.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
841067da69bedbba7e7c5c69a81a80c6

SHA1
b563e754e189e54277dade5fd51737a15bdc34e1

SHA256
3e61e761ab025264a29f528489327c137e0b01f8c520e4d48a7bf0c40637fb41

SHA512
0ea95a021f1df8e7a9493584ef69299cb42046ea1681648228f5f60646358795ebcf5ada56895b5db74d827204eba10a3636638d813be7e674f6d94e53705e52

Download Submit