d28ae1da2749134ecd5f3e43e97c9eac9594123a9cd774164522269bfb1f5635

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FOLON-Downgrader.pyc
Size

46KB
MD5

c49b8b787ecbd7cc90cab5e460b39fa7
SHA1

80bd48f42e7be62e655bd23173255a391e12a38f
SHA256

09432e22dc3ee96974e4b365808e87628c03203abb9bdcfefbf08b7a8ba525cb
SHA512

96801556a3b29c7f0bfdd80b5ddf83b097165a9f6859aca5714b0ed489a3cf39f7f038338498b8bb86cd43a5f88d47ca9049df700b530c6186135612a37cb21f
SSDEEP

384:KVrcWycqaAL+E/DKrHZbEghJmeRnKKVDkderS/OfpyprOwVwbUj0HzghdvZQqkGP:lWKVM9KKVXcVVv3WqkGsuuzqXcnOgHW

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2828	2928	cmd.exe	31
PID 2928 wrote to memory of 2828	2928	cmd.exe	31
PID 2928 wrote to memory of 2828	2928	cmd.exe	31
PID 2828 wrote to memory of 2672	2828	rundll32.exe	32
PID 2828 wrote to memory of 2672	2828	rundll32.exe	32
PID 2828 wrote to memory of 2672	2828	rundll32.exe	32
PID 2828 wrote to memory of 2672	2828	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FOLON-Downgrader.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FOLON-Downgrader.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FOLON-Downgrader.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f7ffa076ce978ff2777aeda4f6c489a4

SHA1
35bbd9ee561733deb92c1c880c9361ca37c90e2d

SHA256
c0e5a8337551a54309e69bccafb04c9807058aa78b07da6f6224c041b0ab9563

SHA512
e387d711183a97da78943991b34d53d4c7781c84978912886181833665633821fe8392320c920262a864a24ea77ecb5e866636b16a0218b46fc766f6bb4469fa

Download Submit