ee08898040836a55a1b02c2181aa40d2e4d91ff1d707cacab1a590415dbb39c1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passwords_grabber.pyc
Size

8KB
MD5

704dced7f7530b19a34a5f7a71c26b10
SHA1

608d9647488cfa2b5f84a891028168a973bfcfa9
SHA256

1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac
SHA512

e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f
SSDEEP

192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2676 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2676 AcroRd32.exe
2676 AcroRd32.exe

pid	process
2676	AcroRd32.exe

pid	process
2676	AcroRd32.exe
2676	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2244 wrote to memory of 2800	2244	cmd.exe	rundll32.exe
PID 2244 wrote to memory of 2800	2244	cmd.exe	rundll32.exe
PID 2244 wrote to memory of 2800	2244	cmd.exe	rundll32.exe
PID 2800 wrote to memory of 2676	2800	rundll32.exe	AcroRd32.exe
PID 2800 wrote to memory of 2676	2800	rundll32.exe	AcroRd32.exe
PID 2800 wrote to memory of 2676	2800	rundll32.exe	AcroRd32.exe
PID 2800 wrote to memory of 2676	2800	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2676

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
50760ad03468b280a1baa56ea9d6934e

SHA1
c11b555831ce42a61e53b89f36ae658723340ae9

SHA256
a7e51acbff206e5584c197fcef815cdfe35b105f6fae6c1489ac914479b11c2b

SHA512
66516c329609ef589a1805b060cdd900491bc09565f1cc34f0157cab93683c7f74c3725ab4ab369066086ba617c3ecb1c3c3a8e73e6d322cffb212d04931048c

Download Submit