Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 00:54
Behavioral task
behavioral1
Sample
pypyp.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
pypyp.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
pypyp.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
pypyp.pyc
Resource
win10v2004-20240508-en
General
-
Target
pypyp.pyc
-
Size
1KB
-
MD5
81fd3facdc3b42f1528eea527c9c042e
-
SHA1
69050abc6314b07284a5d06f878478a11763384c
-
SHA256
2b00459301bb3c1b7ed60c6b143e1efeb07ef12baded2a205ab0207655622d5e
-
SHA512
29c3c963028efa1683972eaf024720a3a95b2dc940326558e5639c5d6911e2e095bd3db148cc8cf6ee9c8ff3105aaafe2f3b018d87adbc6dcf0017fc6e1d8a9d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2788 AcroRd32.exe 2788 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3056 wrote to memory of 1276 3056 cmd.exe rundll32.exe PID 3056 wrote to memory of 1276 3056 cmd.exe rundll32.exe PID 3056 wrote to memory of 1276 3056 cmd.exe rundll32.exe PID 1276 wrote to memory of 2788 1276 rundll32.exe AcroRd32.exe PID 1276 wrote to memory of 2788 1276 rundll32.exe AcroRd32.exe PID 1276 wrote to memory of 2788 1276 rundll32.exe AcroRd32.exe PID 1276 wrote to memory of 2788 1276 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\pypyp.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\pypyp.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\pypyp.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5bf934375b70bdfeb5d49841281baa0a6
SHA1a96dcd7e7a6566b6c0525c4774889cb417fd88a7
SHA256e533a8722ee3ecdb9f6fb62e591b2da43f300b6f608a304e39415163927a7723
SHA51248c7d3468918f8f24dc13a497b024299017b362baa50a9c1acf18cfe0d33c41e15605b6c9860bb8621adb8dc0853d9afb589e4f6cac0f49e70f4917fe1a2ee6e