cc87aab59cd2f26c132a5534bee45ce1a7c63d37da884ca1cbc9a8544710d317

Resubmissions

03/07/2024, 15:38

240703-s26rnswhnh 10

03/07/2024, 15:33

240703-szn4vawfle 10

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

180KB
MD5

683c7a6c055cd2771939f0032d9027ce
SHA1

b45f5e5a2721c9412644dfbc691b1ef35ae8f932
SHA256

ea02450c807f6cc15598184aae7067db51ceeec8ae8e24642228dd939c234ec2
SHA512

2f10fd0f2cbe1bc39fb2b8e6e5439a79c227ae9e947168a1edc89ea4c61ca12f28e828b7bb0bcdaa32d7d8ea8774b9163efae773ecb8217f8d50f80631fc7ecf
SSDEEP

3072:TwLagBA9oq8oolPEtelZN+thZaqPKg6NzZCknJ:MWgEEool8cN+rZaqPKg6NVCA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	AcroRd32.exe
2652	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2668	2012	cmd.exe	29
PID 2012 wrote to memory of 2668	2012	cmd.exe	29
PID 2012 wrote to memory of 2668	2012	cmd.exe	29
PID 2668 wrote to memory of 2652	2668	rundll32.exe	30
PID 2668 wrote to memory of 2652	2668	rundll32.exe	30
PID 2668 wrote to memory of 2652	2668	rundll32.exe	30
PID 2668 wrote to memory of 2652	2668	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
81e6d93ec033e0b99ba47be41f0cd72c

SHA1
953b29c6ad77d21014b32180d909e33f8a39f440

SHA256
d1e13dedf542cac693b301a63318e23780f48483f061d5dc83c12f2b3859e007

SHA512
1a0e46cd21dc4a6af93d03b42600679e317b0ed96bb05ebe4263d78a18403ebd0b385a41169284df9faaed7c8aa669856cc2de9495be176937f014ea6da7caa7

Download Submit