Analysis
-
max time kernel
42s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 02:15
Behavioral task
behavioral1
Sample
PixelFlasher.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
PixelFlasher.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
PixelFlasher.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
PixelFlasher.pyc
Resource
win10v2004-20240508-en
General
-
Target
PixelFlasher.pyc
-
Size
194B
-
MD5
91ce1b2387240a986da96f6fb09e78e0
-
SHA1
c322271cb70a5360b26ff64782b656e5dfaa4eb4
-
SHA256
873a4fa35e8858afa2ccc5e8175a5bc5ce3a98c758c527a430f547485f4a5519
-
SHA512
f79e3fdda6135fd047857ff341e0f10293024be0abb85932f041d4d0b9ea3e9df92466bc40de80b660f79ab40c0e95107261d1c04782f9515346b0c2b46df863
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2460 AcroRd32.exe 2460 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1636 wrote to memory of 2580 1636 cmd.exe rundll32.exe PID 1636 wrote to memory of 2580 1636 cmd.exe rundll32.exe PID 1636 wrote to memory of 2580 1636 cmd.exe rundll32.exe PID 2580 wrote to memory of 2460 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2460 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2460 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2460 2580 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PixelFlasher.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PixelFlasher.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PixelFlasher.pyc"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD56b10f717ab68d3625134fbd82c1ad4f1
SHA12a66d154c2322b93fb53e87c18938964c696423c
SHA2567c32b01acffb0e1b06ca0e231fef27c290dedb74f2c676e93e707d4fd58461b9
SHA512227813dec5cb6c9f47616e30cc6385de3103f2be612b3689c39acd4bb137837df50a7f7d26f18c087aec5155a73353c9b0fbfac754f40ab8915a3f136b000506