619739e4769781798b4786fb9cae2fa31a4b99d55ea98cbabddca454aa3e92f6

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cinerotique_mod_scripts/add_tag_elements.pyc
Size

3KB
MD5

8ba0af0008484613b971a4abf5778858
SHA1

92031a8c306e84dcfeb09e48679780091ae8c449
SHA256

adaaccd543379b93a7b48729ef3fa9675c4e4a5f0aa6f7b059e84059552b5112
SHA512

a7d16d60a02bcc0744e8ec411a7b168937ef6c864e9de3b93fa9719f7fbeb8da33a9c25c77278523da2bdf2ade3ae2f3f5ae978e13bb61d2c0e8841eb9493506

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2644	AcroRd32.exe
2644	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2648	2848	cmd.exe	29
PID 2848 wrote to memory of 2648	2848	cmd.exe	29
PID 2848 wrote to memory of 2648	2848	cmd.exe	29
PID 2648 wrote to memory of 2644	2648	rundll32.exe	30
PID 2648 wrote to memory of 2644	2648	rundll32.exe	30
PID 2648 wrote to memory of 2644	2648	rundll32.exe	30
PID 2648 wrote to memory of 2644	2648	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0406a72c4b31b201dedbd1dc4387571b

SHA1
7ad4209548f3ab01b874286b2a9cb41deff82622

SHA256
fc61556712896fdeb6fccbda0f764f36e69c71dbe9fa014f08596d693c7993f1

SHA512
b7e23a536e71e3922f8431dff95f887ad5c5d36e7e48fda37cda4fa0e2dc29e01476d126624d9d46eb8584694b8ca7e2a0fa0d299ba5bc0410037a5fb8a395bb

Download Submit