Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

source_prepared.pyc

windows10-1703-x64

10

Resubmissions

20/06/2024, 00:25

240620-aq13yatapl 10

14/06/2024, 18:17

240614-wxen6svgpl 10

Analysis

  • max time kernel
    48s
  • max time network
    44s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/06/2024, 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    source_prepared.pyc

  • Size

    157KB

  • MD5

    0f565ae075ea25ecd99211522458f001

  • SHA1

    092b2b5a32bfcab1333d2b87f0c16eeecb8d0b9a

  • SHA256

    cd17f1d43bb1bfb5fb79519f765d1fc6ae186d69211c58dccbba8bf9f0cb35e4

  • SHA512

    cd78f7f73165b348cf58603d5d5c199a71ad214aedd7214465475cfd25fcafeeffc78c94d1ebb80e9318e69cb3be8f554e03d279a0cb93a774e40def287f6570

  • SSDEEP

    3072:3XHYCaOO/LKlRU/nVooPZTWZx5JVdsCLimK5IvdXzOsTNTR:3ICaOO/LKIVoZVHdsCnQs1R

Score
10/10
pysilonratstealer

Malware Config

Signatures

  • Detect Pysilon 1 IoCs
  • PySilon

    An open-source RAT written in Python.

    stealerratpysilon
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
    1⤵
    • Modifies registry class
    PID:2676
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.0.1735644486\613114385" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9af793b1-a7a1-40b3-8e0e-fd5db7a902c2} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 1824 1c77f6f5458 gpu
          4⤵
            PID:5104
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.1.302903505\1944399845" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef9a5c97-700b-4e61-837f-603b97ecf76f} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 2196 1c77f5f9558 socket
            4⤵
              PID:4148
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.2.248124525\1926856008" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 2948 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c50869d2-769d-4f28-b4f3-90f05fe53d26} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 2928 1c70ccf1558 tab
              4⤵
                PID:2648
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.3.375324690\499946190" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e50ba2-ccf2-409b-ba26-e8b02bc262e7} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 3504 1c70b5ec958 tab
                4⤵
                  PID:4656
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.4.536472370\1431973134" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f130f5c7-8846-429f-a6af-0d3605daa383} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 4976 1c710011658 tab
                  4⤵
                    PID:1720
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.5.842430441\895830885" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f7aea95-3132-495a-bbd5-634af131f31a} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 4996 1c710012558 tab
                    4⤵
                      PID:4392
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4664.6.505196326\1258204183" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b16d4b2-e513-4c9f-a887-1a884166dfb5} 4664 "\\.\pipe\gecko-crash-server-pipe.4664" 5304 1c710012b58 tab
                      4⤵
                        PID:3252
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2420
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\source_prepared\" -spe -an -ai#7zMap13530:92:7zEvent28043
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:3176

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    9KB

                    MD5

                    5bbfa8126f2481300de2da37c7f3f967

                    SHA1

                    e800e5f5443105900bfbcc15e9a7d102a00057b0

                    SHA256

                    c545563faf9c9fab6d64450c74108256bb63c8d126e0be0e9c8ea9b9ff1132e0

                    SHA512

                    f794b07ceb908fbd66492ade0887a65e421ef5cb2ff6d7af49e2f846c958a474bdbefcf3d6cb209d9cd0ba6a296ed68d6210cc631d68403ff579c93f60847d40

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7b6691de-494e-4770-8c6a-7e93ad0c4d82
                    Filesize

                    734B

                    MD5

                    15c4d24c615ce2144f6856e23679b828

                    SHA1

                    7b6fa07ff3b7b40a42167c5e8a3dd138bb7acecc

                    SHA256

                    357af37cb2dd948a542de4c43d34b80c6a3b8d71a9be8257191553242ec3a0fb

                    SHA512

                    a307fc49895b44245717183d4c9a0a3c613bd135e8ee381d87b3eac33eb5ee0145c8f0bfd29024e0f11fb5a71bc7d46c11be4a1df1944de9ea37593f7d2c1b18

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    994B

                    MD5

                    6ddd9b09c7864c803b4ea2ae3928e88d

                    SHA1

                    be2e7f6f6aa771095780560da45266d37da09200

                    SHA256

                    d3072bb8b86dd5f867e2b43dd01f9721ce4553236e5cddb77b7f4a3812fe3e5e

                    SHA512

                    5c22c2e6f3bd5bfd2d75713f94078bb44ee05000dfe005b8229ecb9034c4827fc339d546b0710e72536babcc4df897eadf642654ca1dd1becb92286eb374290b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    e7d901ad03d22078f4c42ecc83c3bd45

                    SHA1

                    13ffe2ced2026e6b99c39a96d006c7832a72ba17

                    SHA256

                    fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

                    SHA512

                    8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

                    Download Submit

                  • C:\Users\Admin\Downloads\o_t9PAv6.pyc.part
                    Filesize

                    157KB

                    MD5

                    0f565ae075ea25ecd99211522458f001

                    SHA1

                    092b2b5a32bfcab1333d2b87f0c16eeecb8d0b9a

                    SHA256

                    cd17f1d43bb1bfb5fb79519f765d1fc6ae186d69211c58dccbba8bf9f0cb35e4

                    SHA512

                    cd78f7f73165b348cf58603d5d5c199a71ad214aedd7214465475cfd25fcafeeffc78c94d1ebb80e9318e69cb3be8f554e03d279a0cb93a774e40def287f6570

                    Download Submit