6995e33cf3c6078ad21fa9f5dccb03cc8a12a27953768cf85ecab1ddce1852a7

Resubmissions

03/05/2024, 20:03

240503-ysqa8aeb6z 10

Analysis

max time kernel
1795s
max time network
1820s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

depot_228990/MFGW.app/Contents/Resources/lib/python3.9/compileall.pyc
Size

12KB
MD5

164c8b7590c5be4e7daa72cb076f7359
SHA1

0182b680b1355ddc69bf192e4a07ce672ebb8b37
SHA256

800fa294e0dba17f72f06327bcd13a7f7c10e8f9798147a1e2c31665572003fb
SHA512

427d1135936a463f26c9eda1a837ddec5f7af7dfaef6b0c1a86227ab1f85a325c00e27988e839250bf1fde968bbe7905548d174d54bc6a766d13fd0915ed0bf7
SSDEEP

384:/usFJzraMBu7toq69FBEOX7tuWvJyxcl3hlR/w:/PFtraM06f9FqOL0WvJ2w3hl5w

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	AcroRd32.exe
2664	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2516	2892	cmd.exe	31
PID 2892 wrote to memory of 2516	2892	cmd.exe	31
PID 2892 wrote to memory of 2516	2892	cmd.exe	31
PID 2516 wrote to memory of 2664	2516	rundll32.exe	32
PID 2516 wrote to memory of 2664	2516	rundll32.exe	32
PID 2516 wrote to memory of 2664	2516	rundll32.exe	32
PID 2516 wrote to memory of 2664	2516	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\compileall.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\compileall.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\depot_228990\MFGW.app\Contents\Resources\lib\python3.9\compileall.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
300b8613bb978bb7f9248d495831911f

SHA1
dc57ba12ca605ff3917310c3a5af88999c704197

SHA256
e6941ec64fbdade2dcf2bdadf38112261956dafd6a0e24e18daf4f5859a576e8

SHA512
610a57933c8974d521d188afc698d37d12db3cfd7c5c4dcc49162e3180475f2d543bb7847208cb63a8ca07dd5db80f2290b1908995cc3352927ae64b6df0c7cb

Download Submit