52b76346d02c11ce533e09dc8f5646f8e65b22b04e1298c3226c88a87f994489

Resubmissions

26/05/2024, 13:42

240526-qz4s7age6w 8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub-o.pyc
Size

114KB
MD5

5a4a226dba4b705346900bc3e7640320
SHA1

decd95d4c419ecb4eb5ff48bfc0367cfa08f1e6d
SHA256

5716894da8af8ff97c3e09cf19dcaed63feb59914026c3fd89ced79ced83e2fa
SHA512

c8beed15a89fe061047251ede2c64b166a260d284788f970d508fbafd849f4493c06105392f9da96fbcd985edb2c98b0cff793a23d02f1254d8e59802748792f
SSDEEP

3072:UPUJVyUkznGFpktlgYCdDfh2aeJwomcjcfGU6S:U0obnGFCgRD52L1hYeU6S

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2928	2392	cmd.exe	29
PID 2392 wrote to memory of 2928	2392	cmd.exe	29
PID 2392 wrote to memory of 2928	2392	cmd.exe	29
PID 2928 wrote to memory of 2704	2928	rundll32.exe	30
PID 2928 wrote to memory of 2704	2928	rundll32.exe	30
PID 2928 wrote to memory of 2704	2928	rundll32.exe	30
PID 2928 wrote to memory of 2704	2928	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\stub-o.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stub-o.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\stub-o.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
99bf1eb4dccffbc408606ae3990647d6

SHA1
7a01156c5333cc7c9ad179c94954552c5eff4238

SHA256
c1adde11a9eecbcda93bf50e2e7027faefc929622df87faf8098f1e733402312

SHA512
103b6c9977aa8eb557a18292fa4540616da2fdc56dde6c5a628028bd6ba9776d1ef751e0ade61bd847aa3dd42826fcb838206b09eed4ef79592c5c29faa02489

Download Submit