Analysis
-
max time kernel
359s -
max time network
360s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 16:52
Behavioral task
behavioral1
Sample
picgnp.scr
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
picgnp.scr
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
source_prepared.pyc
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
source_prepared.pyc
Resource
win10v2004-20240802-en
General
-
Target
source_prepared.pyc
-
Size
168KB
-
MD5
73d836bbd8abcb0b9534b40c5fb757ae
-
SHA1
50964c6fd1f289b1d79bc9c5dd83081c29e40039
-
SHA256
be42ebaf02f10990477d8a358d100cb8e3284ea5f57677503db98ab272d149e0
-
SHA512
d3ee98f35467da085311f5776520c6a9215d652207b1a9156c458c4508664b78370d44eb413f1c71d1f910811b31fb66e04b4eb175d3521752ff3bcd379d9e65
-
SSDEEP
3072:s4f5aOO2UaSMS46o4PZTJ0pZXScT0wfxIvdXz4sTWP:sa5aOO2UaSc6ojpUY0wfnsS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2352 wrote to memory of 2240 2352 cmd.exe rundll32.exe PID 2352 wrote to memory of 2240 2352 cmd.exe rundll32.exe PID 2352 wrote to memory of 2240 2352 cmd.exe rundll32.exe PID 2240 wrote to memory of 2680 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2680 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2680 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2680 2240 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad02c032fbbfb7e0bbcded78bf96c580
SHA148ada289ce67ea7c6d9cf5defbb1ad1c6be3f29c
SHA25609bc0555f5daa69a596e04a581e50e54dc38cd9d12b4b033c215422c485f17a2
SHA512de1eb00378362ffc5fa8f94d0a1c537fdd68ae7f3b66ef233ca84bf46e4ad1edef73fb0f060848e943b03f85f10d6135600542e192ac2869e7942e0bce6ddf5c