4dc1eb897afbf8f0cc72b12ae5561e9c7a65a855ddbe60140700cd13f5db482c

Analysis

max time kernel
0s
max time network
126s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 22:22

Target

main.pyc
Size

67KB
MD5

54c13d2e7267dfc6048606e98e9c8085
SHA1

73a3bdbf0c9ded1d29fc513a215c9f169e7fa5ac
SHA256

01f5f2991f3910f9fd2378ca7c996b1880651771d6149f2963b2232184f3050a
SHA512

631c1e638bd1a0b76eb89a3d909956ae8b43dbff151ac994f3edded014ed3883ecbaad69a5e49682133af45fc99f93cf3f061873fa0da8165a8d74b392c61823
SSDEEP

1536:GYM1GKwfs1TpCWVwvfePVN1/tTGwlG9BeehXes:Ng/Ged+ekes

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2852 wrote to memory of 3024	2852	cmd.exe	rundll32.exe
PID 2852 wrote to memory of 3024	2852	cmd.exe	rundll32.exe
PID 2852 wrote to memory of 3024	2852	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
  2⤵
  PID:3024
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"
    3⤵
    PID:2812

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact