Analysis

  • max time kernel
    18s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 07:51

General

  • Target

    NLChecker.pyc

  • Size

    14KB

  • MD5

    93637bd176c597ba191aaee8f2825478

  • SHA1

    30f50e9753f9465c354896476b0a11c4f6fc3799

  • SHA256

    6d54497e65d5840d1c00ec973965f6075c71a3db6936338a1cc94cc6ec16ec01

  • SHA512

    b4cf2b8e53c74b8fb823c2dac15bea4ecb6823929cc2b9ea2d2c574911b62c190736d69cefd2d6e56cdc7e88b6115f7d6583d9dbdd8d9820450d608dc1bf0935

  • SSDEEP

    384:ahz8hCCu3cbNytQStKdbUmKLglPxNeXCqGo:Wz8YCe8ktQStKdbUmKaP2SXo

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    656db2ca74769c26378fcfbca59c09c5

    SHA1

    0bd3142ac6182a416d20ffb183f28778755dbd29

    SHA256

    83417067f96e202f5161d4cd94484ad32d242c0ff614357c150b48e20b21b5d4

    SHA512

    0735aaaf1db6fdb145218cf1003a9607e704918aa4d5ef8ecdb2a9913d2edd8c3fa6470610a0a05f1a923bcea0d5f6ad223d8ddcf5ced932be18b367234f9de4