ee800a6102a9c87635e9f06dbc899653842ee9adec96e61d4355947639ae1602

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
Size

114KB
MD5

a2f3ded45da8870e93e5d2186dab27e8
SHA1

3f8e0cddecc3827b33ec02cd78d192c18f1ddf82
SHA256

fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742
SHA512

438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c
SSDEEP

3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2220 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2220 AcroRd32.exe
2220 AcroRd32.exe

pid	process
2220	AcroRd32.exe

pid	process
2220	AcroRd32.exe
2220	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2860 wrote to memory of 2680	2860	cmd.exe	rundll32.exe
PID 2860 wrote to memory of 2680	2860	cmd.exe	rundll32.exe
PID 2860 wrote to memory of 2680	2860	cmd.exe	rundll32.exe
PID 2680 wrote to memory of 2220	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2220	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2220	2680	rundll32.exe	AcroRd32.exe
PID 2680 wrote to memory of 2220	2680	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file\res_mods\1.23.0.0\scripts\client\gui\mods\mod_a.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file\res_mods\1.23.0.0\scripts\client\gui\mods\mod_a.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\file\res_mods\1.23.0.0\scripts\client\gui\mods\mod_a.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2220

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
9b8cfed790af4839d517f859052b7d06

SHA1
ea59bdc5312756d08d09e20b498224d625cd2a04

SHA256
23d82ac776f6789370e9c9be738c00b9a1711e24f9210adee3d8163e6f8041e4

SHA512
b1bccee9967858b1f61244b5088de8e265a8195ac5b3fe490ae51fff6e430be841e8144c9eb498a5442dfc176bfb8733a1ae89723f7d8805d178c2f5906e045f

Download Submit