Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 16:55
Behavioral task
behavioral1
Sample
source_prepared.pyc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
source_prepared.pyc
Resource
win10v2004-20240730-en
General
-
Target
source_prepared.pyc
-
Size
173KB
-
MD5
6b78e612c1890a9b4d5d2ef65aba915e
-
SHA1
32be2fddae71d6db013e456477bda45253fa914b
-
SHA256
64e3d2880a27d913b02d026f5f227ed0875d265eef0139b5e5a6749632f013da
-
SHA512
7e0cb34715c1b7b5036cf844c2121162638a43d511ada265e1608ae0b87292d573c60a41610cfa1b15b9b9b68d5e90f84e55902e61e87ab4be7d82a7862842bb
-
SSDEEP
3072:jrdhk0aOO22A1VSUkosPZTJ0pZyScWaQV+AcwIvdXz/sTWu:jr/k0aOO22ApkoHpL9EAosP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2832 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2832 AcroRd32.exe 2832 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 588 wrote to memory of 1496 588 cmd.exe rundll32.exe PID 588 wrote to memory of 1496 588 cmd.exe rundll32.exe PID 588 wrote to memory of 1496 588 cmd.exe rundll32.exe PID 1496 wrote to memory of 2832 1496 rundll32.exe AcroRd32.exe PID 1496 wrote to memory of 2832 1496 rundll32.exe AcroRd32.exe PID 1496 wrote to memory of 2832 1496 rundll32.exe AcroRd32.exe PID 1496 wrote to memory of 2832 1496 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56aed38e53fa10c9f491df210982ecd3f
SHA1a7be72b2943bfbac13b549b15bca0da8ac63e73b
SHA25602bbaa85697e1d6918cc05c6d1ad921c862f97defec134f23930741e56c605a9
SHA512b5274c90f41fb82fd5f274b86875cf566ee02086f6bfeb5f5f6fd41011b45218c37ca2c59f102c75b36c7d1a688ea9af9a0e9a450ff90e85c3b88fc5a3f78fa9