1282490c13b3a87a34fe4acaf3d3c6ae32865d33c21573188df62cd3652bda79

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 10:34

Target

eee.pyc
Size

10KB
MD5

3c4c0a0f1a28e0bac74cf7325805411b
SHA1

a5cd404eea0ec988531c13dbb46090b21a5b3b86
SHA256

41a9ca2619456563ca7368c78ba5e49991b20ae024fd8e2423397afebdc88bd7
SHA512

7cb7cc571ce3012cb00a5f7a36216a666dc80e44c336bf05dc70d6a509c472eb3b77c8041cccc20fd1c9eb1b1334a8e3911566b7290a0e617dfddd72a5fe1dce
SSDEEP

192:YsxwIW+ybEgKflN7qToSvduxEJCpCi44WSCLLR+:YKg+ybmooWbaR44WSqR+

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2664	3008	cmd.exe	29
PID 3008 wrote to memory of 2664	3008	cmd.exe	29
PID 3008 wrote to memory of 2664	3008	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\eee.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\eee.pyc
  2⤵
  - Modifies registry class
  PID:2664

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact