47a549f6c12a86000ebea99389ac5d297dcb42c9734bebcbb3bbd83a177e336e

Analysis

max time kernel
8s
max time network
0s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 02:04

Target

background_script.pyc
Size

3KB
MD5

5978f68476275e7b24af869c3d2e988c
SHA1

01d13971a416b1c03cfc6dd5e66c5ee69336b90d
SHA256

e7dd84c0772b3feb0da7952984ce2e2ba1241d2804841303601699aeb855e1d7
SHA512

1796c933aa77aa36d9c4daf42ea2290c2a0e341792c0852870a44e9d8fe38ae09e069ad462fcb96f68023f76f6a9c42915d60706bd8ae181c5332c78e45758ee

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2132	2536	cmd.exe	31
PID 2536 wrote to memory of 2132	2536	cmd.exe	31
PID 2536 wrote to memory of 2132	2536	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\background_script.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\background_script.pyc
  2⤵
  - Modifies registry class
  PID:2132

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact