38c0e56a48ed8384e384ac193ef96dbb9abcf152ff6ecff7a5b10e8f65949b77

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.pythonlibs/lib/python3.10/site-packages/aiohttp/__pycache__/client_ws.cpython-310.pyc
Size

8KB
MD5

30edb9a25b189e41b8696de178866114
SHA1

85d7d63c71d4a5177dccc608d11aed740933be2b
SHA256

9ef2a2a51c8ed6ce6ff69c2a54de0ff98e736fddb522d5a9e1baa6a6506d53ee
SHA512

5ef5b6045e80b85802932f467979f613891b6cfd6662d07c9d7e11a86ca2fa64321b2181711a82e8f2657ff6962f765305687caeafb611b07dff7f1e629f896b
SSDEEP

192:0OQoeXSdqFfYMeOkDbZaGOqIDB/ksxZdqukLb4:0hoeXSdsgJZaLqIl/ktV4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2920	AcroRd32.exe
2920	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2744	2568	cmd.exe	31
PID 2568 wrote to memory of 2744	2568	cmd.exe	31
PID 2568 wrote to memory of 2744	2568	cmd.exe	31
PID 2744 wrote to memory of 2920	2744	rundll32.exe	32
PID 2744 wrote to memory of 2920	2744	rundll32.exe	32
PID 2744 wrote to memory of 2920	2744	rundll32.exe	32
PID 2744 wrote to memory of 2920	2744	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.pythonlibs\lib\python3.10\site-packages\aiohttp\__pycache__\client_ws.cpython-310.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\.pythonlibs\lib\python3.10\site-packages\aiohttp\__pycache__\client_ws.cpython-310.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.pythonlibs\lib\python3.10\site-packages\aiohttp\__pycache__\client_ws.cpython-310.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2001d9b0195d4ead7fe9f4ba1b70f9e7

SHA1
1d9ee02c1d771dd83d9126f5f5f56ddfcd651132

SHA256
8a7996f526ac12d73b3be33cf995b58eb887591a72872469011a7c30e62a4370

SHA512
a1daee8005e972de11ebf7662fa32536e329ad068e884cd834a6b1a2204a1cf07d49efe37131b19cb666c00553f8a5b4cf679fc5e2d4ca3b6495e062ec1c3e0f

Download Submit