Resubmissions

01-08-2024 08:14

240801-j48vda1blm 10

29-07-2024 20:18

240729-y285paycjr 10

29-07-2024 20:11

240729-yyr21ayanl 10

Analysis

  • max time kernel
    102s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 20:11

General

  • Target

    get_cookies.pyc

  • Size

    10KB

  • MD5

    b38f506528b3d6d5dbd851426c347b95

  • SHA1

    e91bf4ef42128267934e21be0176e552480f5977

  • SHA256

    85a7c34afad2c270ca690a5b4c30cc8bf16967e623fc77f4de4497901030a93b

  • SHA512

    ab110dc92eba564fd0ec6c6a75e779f588518dc1aa461f072ab02b96bc11fbe25e09faa6a556dc6a127c3e8826382697b72037a0cefbdaf32fd70a723e746295

  • SSDEEP

    192:TzOCIeinQfUF9LdwOEVOFc1mNe47+o+zEzzzzz1zz+HoowAE:TzOUiQccEe4KoOIAE

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    60c1e56c372ddb298fd9bff8c2fd1a14

    SHA1

    c127d0e787704c588690d0f1f387353cff33f97f

    SHA256

    5315e9c98f7ccf3cc38005fb8535fcffb145eb09415d8ed165d2ef7b9d660f37

    SHA512

    fb8373bc1d0d2af8d1086f699111956f5cbe8a980c4910f37a654e8949a5fa63cbd6d0d0cc529b3366607d0b02279058a370b428469516f0d9326b153be6ebc7