42125fea3a55fdff20c9c2ecae70784bb9207beec55f47dd963a9c594c1ba490

Analysis

max time kernel
27s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

876KB
MD5

8d73a00dc0d7ea318824901e48f02921
SHA1

a83ce61825286f0908f64d9d1fab3c007edb7039
SHA256

874d3b1ae43cb4597adb6b4cd4b77621a840263463191e2e34342677003c69cb
SHA512

7823abe9bddc5a45a34b2c404dae8f9f4bf628d5a18afeea84a83b6048e935ddc595cb7b9e00fad45dc7d382f8f55c9d6b84a268a8008ee712d727340c079eed
SSDEEP

12288:RgWsi7/5Wlwoh852L3ctRrO++Lc7QlmKPfYcNXzz:Ii7/5Wqoh8YzX3fYct

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2888	2700	cmd.exe	31
PID 2700 wrote to memory of 2888	2700	cmd.exe	31
PID 2700 wrote to memory of 2888	2700	cmd.exe	31
PID 2888 wrote to memory of 2672	2888	rundll32.exe	32
PID 2888 wrote to memory of 2672	2888	rundll32.exe	32
PID 2888 wrote to memory of 2672	2888	rundll32.exe	32
PID 2888 wrote to memory of 2672	2888	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d5b914d795842fdb49b46b0b86bf9aba

SHA1
69a6b656067f9f54242f2e62bf118bb52d0150c0

SHA256
f303f1b7c2bddb25a74f6258884dc71ca32545f3933915eab3c34bf74dde9e84

SHA512
90e5e817ac3e41cf61743c8434873c292a671d253ecbbfc5c139889887321ac0e9d8ef740e7d0f33c71d2e829f580b39e7541bad428339583001b6bef3767d75

Download Submit