Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 00:16
Behavioral task
behavioral1
Sample
SecureTelegram.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SecureTelegram.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240704-en
General
-
Target
main.pyc
-
Size
723B
-
MD5
c568586fd87462685947012dca4d79db
-
SHA1
0a899e9cd82c732c565d6ba591a04c0bfdd5a592
-
SHA256
a8a0c8ebd9254af0e97a710c79eb70e26b063dfd4b31cc96b66e45dee95bfe35
-
SHA512
5d6ad73872e5e118daa54dfc7a85f1a8d9b7c70565030ba4a764ce00710dbc9f1f72c443a43437f97843857e73718b2b8dbe47cf80c1ec5a993899ad9a4eeab7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 AcroRd32.exe 2324 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2712 2280 cmd.exe 29 PID 2280 wrote to memory of 2712 2280 cmd.exe 29 PID 2280 wrote to memory of 2712 2280 cmd.exe 29 PID 2712 wrote to memory of 2324 2712 rundll32.exe 30 PID 2712 wrote to memory of 2324 2712 rundll32.exe 30 PID 2712 wrote to memory of 2324 2712 rundll32.exe 30 PID 2712 wrote to memory of 2324 2712 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD583e0f3ebe2dbc802b98e30d7c1bff6d2
SHA1ac1f68499eb1b9c266ee1e7cae2c970d094f87b3
SHA256ebf48013abcf901e713185792f41bfb4c8ae1b38ea3c7cc593526f19143d62b7
SHA512676c42185c8e2489824d7ff486e4564bc36efed245d8d58d3737380205ab39cb74fa1082c3d53bd8217b4092f96a1f7a582a85eb21178cea33bf1ab9b8ef514c