Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 19:26
Behavioral task
behavioral1
Sample
Usermode_Font_Driver_Host.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Usermode_Font_Driver_Host.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
Resource
win10v2004-20240508-en
General
-
Target
FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc
-
Size
57KB
-
MD5
60b8028c9eb3d44737f4c6d9ac7c533c
-
SHA1
96d82ff6be6b8706718a7057a66a59449a2c79bd
-
SHA256
e59dbebef0de2d2f52ce32c96a9dabde0772b0c8cf4b5d0853ba8619a4a5f04b
-
SHA512
2de02b9bb0810cc01408675ba7851fe7cdce886d813ce1f1d12de282a61d3692b134e3b1678aaaad1f925a4603a750c25e74ab5d28aae90c7d05ea2fac5b7f51
-
SSDEEP
768:XlRydzFvesK7wchntnTlqv/ofgfDfv5SnOer6bUAfBr/LSCFrqEqvjz03:WdxvWqv/U16bFzyPa
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2644 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2644 AcroRd32.exe 2644 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 2244 wrote to memory of 2724 2244 cmd.exe 29 PID 2244 wrote to memory of 2724 2244 cmd.exe 29 PID 2244 wrote to memory of 2724 2244 cmd.exe 29 PID 2724 wrote to memory of 2644 2724 rundll32.exe 30 PID 2724 wrote to memory of 2644 2724 rundll32.exe 30 PID 2724 wrote to memory of 2644 2724 rundll32.exe 30 PID 2724 wrote to memory of 2644 2724 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FEDFNJHJDNJFSJDNOFDSOIFBNSEUIBFHG83W.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5764c7a7b3c9a3535c4ada8c64f436c0a
SHA146a556f96284e35a321a546f62f222333bd00d1a
SHA25647c552df0beb04c8989ab069809e00c9e4f7bc46e39e521e5e4ec2de05c4c564
SHA512d1b49a86be48c5dce63382b43ab382000b05ef1565e176600e592172d6bf12654c9ce98800d472f8b512de108bf81c378dacf9866aa2b61d7a2b47101eec4f1b