Overview
overview
3Static
static
1server.pyc
windows10-1703-x64
3server.pyc
windows7-x64
3server.pyc
windows10-2004-x64
3server.pyc
windows11-21h2-x64
3server.pyc
android-10-x64
server.pyc
android-11-x64
server.pyc
android-13-x64
server.pyc
android-9-x86
server.pyc
macos-10.15-amd64
1server.pyc
debian-12-armhf
server.pyc
debian-12-mipsel
server.pyc
debian-9-armhf
server.pyc
debian-9-mips
server.pyc
debian-9-mipsel
server.pyc
ubuntu-18.04-amd64
server.pyc
ubuntu-20.04-amd64
Analysis
-
max time kernel
1559s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
server.pyc
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
server.pyc
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
server.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
server.pyc
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
server.pyc
Resource
android-x64-20240603-en
Behavioral task
behavioral6
Sample
server.pyc
Resource
android-x64-arm64-20240603-en
Behavioral task
behavioral7
Sample
server.pyc
Resource
android-33-x64-arm64-20240603-en
Behavioral task
behavioral8
Sample
server.pyc
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral9
Sample
server.pyc
Resource
macos-20240410-en
Behavioral task
behavioral10
Sample
server.pyc
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral11
Sample
server.pyc
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral12
Sample
server.pyc
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral13
Sample
server.pyc
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral14
Sample
server.pyc
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral15
Sample
server.pyc
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral16
Sample
server.pyc
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
server.pyc
-
Size
17KB
-
MD5
caba296bbf4da22bb7948bf3288d71cb
-
SHA1
99453aabfafa284387f0b938afcadda65c986e1c
-
SHA256
dd1a76307bb81a4d70b7ff754ea9b50430ec7b353d635534a767e05d7fcba025
-
SHA512
061a02107363c6320e68b6da2f6d564eeee594e3808503135443c90c0225f12d67e636d8f7771d922c1c4ea8ddb312934559dd6fb5a5087a0969e172f78ff4e6
-
SSDEEP
384:45NDZ3T4RiZnLfyYC16xBynpkcnA5ncxRol7UyIaG8Le2K4uACEbZMj/:43Z3TXpyYC16xBg9nancvol7KzZEb6j/
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 2596 1724 cmd.exe rundll32.exe PID 1724 wrote to memory of 2596 1724 cmd.exe rundll32.exe PID 1724 wrote to memory of 2596 1724 cmd.exe rundll32.exe PID 2596 wrote to memory of 2720 2596 rundll32.exe AcroRd32.exe PID 2596 wrote to memory of 2720 2596 rundll32.exe AcroRd32.exe PID 2596 wrote to memory of 2720 2596 rundll32.exe AcroRd32.exe PID 2596 wrote to memory of 2720 2596 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\server.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\server.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\server.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54f83b294923fa4a77480ebf609bae145
SHA165663b7e5ce640ba861884979d201d6d323cf4c3
SHA256fd48e36ef90363af877963b8ed691151bf344704ef527086a6f4a98a9c3cb028
SHA5124914a44487a15e92bcafc8364b35be1bd19fce57994adb74f1c25d07f4fed4a90972b31a7d70aedfa3e02cf3020af636d8cab50e4d8fc8dba9cb32d16c941c78