f7f14ccc2a131248e79a38e5cb862cc7914e601309c24302c3b08d111fd0e21f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test44.pyc
Size

4KB
MD5

8df746045cc87c4b01afab99df67a18e
SHA1

811a5e0e7eee7b3e423ba27c770d094c9a5fab61
SHA256

59eab497729d5941cf15f944a726d0bf6b56a5b3cba3d50e782906877113f128
SHA512

027dc82b187a97c9f0cc257936db155572a9002e5d3329a91c724fa460e715acc1c788ffea6c2b4705eea7296e35b61231af7d1290ba610d234bbaa2aa05c951
SSDEEP

96:v63s83sp3s23sb3fQVdyig7WgKgagDganDm473OruX1/t:v63s83sp3s23sb3fQVdyig7WgKgagDgy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	AcroRd32.exe
2632	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2656	1876	cmd.exe	29
PID 1876 wrote to memory of 2656	1876	cmd.exe	29
PID 1876 wrote to memory of 2656	1876	cmd.exe	29
PID 2656 wrote to memory of 2632	2656	rundll32.exe	30
PID 2656 wrote to memory of 2632	2656	rundll32.exe	30
PID 2656 wrote to memory of 2632	2656	rundll32.exe	30
PID 2656 wrote to memory of 2632	2656	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test44.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\test44.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\test44.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cbc5dae05881cae346973eaf6b73f79c

SHA1
77b41bb589de7370fe11e9fbae9e45b7df2d9084

SHA256
0dcfc3b532014843af6a48e3cd88713c5b14913ba88a7cd04b7de75908356525

SHA512
602d28eedae54139f821a14dff511b37fa297edb0ee42d7638a786f8251583c6e63101394b189aeb78ccdfc2b3887582c1207fcc8ff8f5cff2c22b207def4896

Download Submit