a974f28684d62fb86112d66c02b36d0a3456ddfd7a0e3227f24e79a707bba79c

Resubmissions

10/06/2024, 13:26

240610-qpxbcsxbra 8

10/06/2024, 13:22

240610-qmq2kaxfll 8

10/06/2024, 13:16

240610-qh9m4swhle 8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PySilon-malware-main/resources/source_code/bsod.py
Size

782B
MD5

97d02293e28ece94f91f3a739897e595
SHA1

328eae0fc97dcbc5949eb5d29298eecda7ae8a08
SHA256

4f2b74ea05b9d5a79323c3e035e72903bc9a8d9ad834113b21a44006583c2714
SHA512

d3fc6dac3d4a6e587246816dbeaee280a295d7633f58a127c63481d9a864ba012e06ab3ea3b90724b25835f0ca45284be333cdd90e400705b6dcdb4ecb9b71db

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2988	AcroRd32.exe
2988	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2828	1612	cmd.exe	29
PID 1612 wrote to memory of 2828	1612	cmd.exe	29
PID 1612 wrote to memory of 2828	1612	cmd.exe	29
PID 2828 wrote to memory of 2988	2828	rundll32.exe	30
PID 2828 wrote to memory of 2988	2828	rundll32.exe	30
PID 2828 wrote to memory of 2988	2828	rundll32.exe	30
PID 2828 wrote to memory of 2988	2828	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
109f10985423013da23bbd4e1f86b585

SHA1
03fbaf0808aaa6e726aa326f1e1bc7e9b7f163f0

SHA256
88956a922a06b797e69c495572d5e6641a2cd5d7a8b8962858f1b63f40964225

SHA512
ab3b7e47e45a3e674629c6381daee9c88c35ef1975e423f282d305c3c7ce9757d2b1746f6173cf9066529624814457fec4ee53e557aac7f69d635700959ddb21

Download Submit