ce08cdf4895f278b15592322e7c317daa3df8c42e76fc559cf88b89a53f1ab2e

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lib/encodings/__init__.py
Size

5KB
MD5

7e6a62ef920ccbbc78acc236fdf027b5
SHA1

816afc9ea3c9943e6a7e2fae6351530c2956f349
SHA256

93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9
SHA512

c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983
SSDEEP

96:VHdpCpI/qD2Q0pU8F6fdaLcbkCN/yRMffWL1+rpOc6i7AYS2kEJlQ6w1AD4:XpCpIPpHEN/yYi1+NOc6IAYS2kEXQ6wr

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2668 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2668 AcroRd32.exe
2668 AcroRd32.exe

pid	process
2668	AcroRd32.exe

pid	process
2668	AcroRd32.exe
2668	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1924 wrote to memory of 2420	1924	cmd.exe	rundll32.exe
PID 1924 wrote to memory of 2420	1924	cmd.exe	rundll32.exe
PID 1924 wrote to memory of 2420	1924	cmd.exe	rundll32.exe
PID 2420 wrote to memory of 2668	2420	rundll32.exe	AcroRd32.exe
PID 2420 wrote to memory of 2668	2420	rundll32.exe	AcroRd32.exe
PID 2420 wrote to memory of 2668	2420	rundll32.exe	AcroRd32.exe
PID 2420 wrote to memory of 2668	2420	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Lib\encodings\__init__.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lib\encodings\__init__.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lib\encodings\__init__.py"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9f8f768405b58ac8ba9ae962dc619acc

SHA1
16819f480a93f06da00b1ac320f0113d1195fa70

SHA256
8d4c4e0ac75373e5ca72334dfbeabe78aaf69a9d8e7b7743caee7fc73388a39d

SHA512
cf4a3c46a7a245697199f368d5c79d168046279be83585c3f5bb625f8b3c2c7dce0705a54a6c30cd00468ad2cf78d12163fa4b0dfc74d23299e6f2044c687434

Download Submit