Overview

overview

10

Static

static

10

source_prepared.pyc

windows10-2004-x64

10

Resubmissions

25-12-2024 11:40

241225-ns1f3ssmct 10

20-06-2024 01:12

240620-bk1qnavdrk 10

01-06-2024 22:28

240601-2d43lsgh7s 10

Analysis

  • max time kernel
    13s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    source_prepared.pyc

  • Size

    65KB

  • MD5

    845ddc446661a59b101ca716985e834c

  • SHA1

    0e2710e3a29d83ba378f8e63546ef26ef6ad02a9

  • SHA256

    a99b29abc5cebb9e2efadb3aee5fc573a205503a67ecf8b71f580e61813202c8

  • SHA512

    a76f86ba39bb27462b89f92582a1b4d735f88f2b3dede8787781326287fc77e0ce0b0aac0246324ed9f0898e9de998104d28b161a8a8d02c6f59f65667e644a6

  • SSDEEP

    768:IaGFa0lgVgaA6RRaAZJjLwBjIgevrBYCFjUBJ29EW4VHjrlbedBDoeUgLiLmC/5q:IawgVguasyBj1uYCFjUTH/IdBDoTLBxq

Score
10/10
pysilonratstealer

Malware Config

Signatures

  • Detect Pysilon 1 IoCs
  • PySilon

    An open-source RAT written in Python.

    stealerratpysilon
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
    1⤵
    • Modifies registry class
    PID:4544
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.0.1506565486\409303122" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c21d8c13-390e-473b-9d88-9d0954009674} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 1820 1d6d810d158 gpu
          4⤵
            PID:552
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.1.863301914\1671503650" -parentBuildID 20230214051806 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd950c07-c678-4f2f-bc51-73def17169ba} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 2408 1d6cb489c58 socket
            4⤵
              PID:3248
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.2.67828325\76141035" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2852 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2c56920-f0f1-4981-a5a5-c8f058ecb63b} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 2928 1d6db150858 tab
              4⤵
                PID:3808
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.3.1827147503\1627434712" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a871a3c-1fbb-443f-b3b0-43ec53f96424} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 3576 1d6dc6b9b58 tab
                4⤵
                  PID:4716
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.4.1832427482\54351916" -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {500845e8-1471-43ee-b029-2dbf0fd82983} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 5196 1d6debe1e58 tab
                  4⤵
                    PID:2556
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.5.1073146224\1259311418" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beb622f9-a765-47b1-8e21-6136b5d78878} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 5416 1d6dec1a558 tab
                    4⤵
                      PID:3724
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3404.6.753474130\1500263407" -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e25c190e-d614-4355-bdd6-51a7e6501944} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" 5544 1d6dec1cf58 tab
                      4⤵
                        PID:2576

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Downloads\ADT7XKpM.pyc.part
                  Filesize

                  65KB

                  MD5

                  845ddc446661a59b101ca716985e834c

                  SHA1

                  0e2710e3a29d83ba378f8e63546ef26ef6ad02a9

                  SHA256

                  a99b29abc5cebb9e2efadb3aee5fc573a205503a67ecf8b71f580e61813202c8

                  SHA512

                  a76f86ba39bb27462b89f92582a1b4d735f88f2b3dede8787781326287fc77e0ce0b0aac0246324ed9f0898e9de998104d28b161a8a8d02c6f59f65667e644a6

                  Download Submit