Analysis

  • max time kernel
    1559s
  • max time network
    1559s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 23:35

General

  • Target

    server.pyc

  • Size

    17KB

  • MD5

    caba296bbf4da22bb7948bf3288d71cb

  • SHA1

    99453aabfafa284387f0b938afcadda65c986e1c

  • SHA256

    dd1a76307bb81a4d70b7ff754ea9b50430ec7b353d635534a767e05d7fcba025

  • SHA512

    061a02107363c6320e68b6da2f6d564eeee594e3808503135443c90c0225f12d67e636d8f7771d922c1c4ea8ddb312934559dd6fb5a5087a0969e172f78ff4e6

  • SSDEEP

    384:45NDZ3T4RiZnLfyYC16xBynpkcnA5ncxRol7UyIaG8Le2K4uACEbZMj/:43Z3TXpyYC16xBg9nancvol7KzZEb6j/

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\server.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\server.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\server.pyc"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    4f83b294923fa4a77480ebf609bae145

    SHA1

    65663b7e5ce640ba861884979d201d6d323cf4c3

    SHA256

    fd48e36ef90363af877963b8ed691151bf344704ef527086a6f4a98a9c3cb028

    SHA512

    4914a44487a15e92bcafc8364b35be1bd19fce57994adb74f1c25d07f4fed4a90972b31a7d70aedfa3e02cf3020af636d8cab50e4d8fc8dba9cb32d16c941c78