0c714ba3b25c6996ef3ed02846f53e589edded56878449b051ec289c34f7c101

Analysis

max time kernel
103s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

197KB
MD5

a8cbbe00b28651d0eb0f9852700fc94f
SHA1

45c9fa5cd048bc1bfc973dc80931c583b7a22e1f
SHA256

b2a8c95c9a67a5b6cc0a0abb62102a1c50f1e802934402d7c886c15a9e0681d5
SHA512

f5fa8b82b32eb8c26063baa2337d3bbf77088d5af3c975cc277fd251a38c7c66e8813e4599cdb3bee928d9a9b64641fbcceb86b076cb35761e1b2409cbac45e4
SSDEEP

6144:PeYPhfY7bj/npPLYhYYYYY9YYPzk/Yh0lVV:iL/pFk/Ys

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1672	2152	cmd.exe	30
PID 2152 wrote to memory of 1672	2152	cmd.exe	30
PID 2152 wrote to memory of 1672	2152	cmd.exe	30
PID 1672 wrote to memory of 2832	1672	rundll32.exe	31
PID 1672 wrote to memory of 2832	1672	rundll32.exe	31
PID 1672 wrote to memory of 2832	1672	rundll32.exe	31
PID 1672 wrote to memory of 2832	1672	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b9f7d8fe26ee41f33786649089deee15

SHA1
34dfd1ac0e343dd9f68e3dc7ebe395ef32b8a5f4

SHA256
e72527682cfeac5bb121c774b8395b6358254d4552bf082980577ecae525995d

SHA512
4ab219fc0fe57a7d1c8b7e381a23ae3c7f6372416d463fdd80e3bfb5a6c2f88deb1e094681edbd9e6dcb57b6b5ce7ec1e015a75042574548910116986998fa1b

Download Submit