7b476bbfc4d37fa50c1c5bec98b2e8aede8087b8873eb7de27b78ad4446dddbe

Resubmissions

14/08/2024, 05:47

240814-ggy1jsxfkf 10

14/08/2024, 05:40

240814-gc194ssdjn 6

Analysis

max time kernel
1559s
max time network
1563s
platform
windows7_x64
resource
win7-20240708-ja
resource tags

arch:x64arch:x86image:win7-20240708-jalocale:ja-jpos:windows7-x64systemwindows
submitted
14/08/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CyberDEV Client/lib/selenium/webdriver/remote/script_key.pyc
Size

1KB
MD5

288c6b352dee51939973a5e33999fe08
SHA1

700e55433a827af75b6530018cda35a00cb24f2d
SHA256

3758f9a4f71d89cd887725e8ab94c083f43e5414f06ce4398687c02a54004bd7
SHA512

227ef8113860720eabc8a53d9111f7c0ff6b4e427f8573a903e1f397fa352a2a1567d5a11e8935245f984f1d1cbfcb18380e7aa4b8c0b9cc41f68327170abe7e

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.pyc	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2800	2696	cmd.exe	31
PID 2696 wrote to memory of 2800	2696	cmd.exe	31
PID 2696 wrote to memory of 2800	2696	cmd.exe	31
PID 2800 wrote to memory of 2588	2800	rundll32.exe	32
PID 2800 wrote to memory of 2588	2800	rundll32.exe	32
PID 2800 wrote to memory of 2588	2800	rundll32.exe	32
PID 2800 wrote to memory of 2588	2800	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CyberDEV Client\lib\selenium\webdriver\remote\script_key.pyc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CyberDEV Client\lib\selenium\webdriver\remote\script_key.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CyberDEV Client\lib\selenium\webdriver\remote\script_key.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ebdecb1112c91ebe5ad0bff68e07214c

SHA1
c78064f6e9392884381130d2af10839cea86dff1

SHA256
8487a7b5668f097ff9fd6a368b2b39a63271e71afaec12f058cc72a4fe1d1a95

SHA512
2291a14dea594b2c4073bb5c17598f2b6c1c8b81ccef87d699c4b9dfdb9ad0bc8bb4654d7c5532d10a45e8b46aaf87f02df2e4ebf59b901102559b9fac88e22e

Download Submit