Resubmissions

01-08-2024 08:14

240801-j48vda1blm 10

29-07-2024 20:18

240729-y285paycjr 10

29-07-2024 20:11

240729-yyr21ayanl 10

Analysis

  • max time kernel
    102s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 20:11

General

  • Target

    source_prepared.pyc

  • Size

    178KB

  • MD5

    87177df4f446f173b5b0d00d38949780

  • SHA1

    bc5c4173573acfc0be23ac32a0963da109f5755c

  • SHA256

    a0b23f14853efd9cc3e5234ec813b625e39260fc20f527dd41fa326d51d1d56c

  • SHA512

    693a6984c51104d48d7ff4ba3e56c65d85d9de33e261bf498b69a68a56d8509ab52d3a3046f3989bdb26bd3a05cc898981a80fd4fb01485ba91abf81f2670afa

  • SSDEEP

    3072:ot0LaOUA9ECE6oqPEtelZN+thZa1aOg6PIWCkI1:oiWO926oq8cN+rZa1aOg6PLCb

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    3a7f8ef03b3eaa4f7585abbb001d6d0a

    SHA1

    5c336af1dbf21f9e04c3e41454bba65e2746e44f

    SHA256

    c040219ad1a1c290937d3a5a8946104ce6ac76b0cb11c941a85831d00c79a6ac

    SHA512

    43655cdaffdb633955f93e9a1d1cae1b2c9a3e8581e0a5d3411a1d5e3e33211a9ffc385e5d0a6ec5a3f006e62847c01690133273a6730b6a1827cab10bba491b