Malware Analysis Report

2024-11-30 12:46

Sample ID 240822-xtvrnashnb
Target Credit+Miner (1).rar
SHA256 a7482e665aa974507d5c7605acc2da8d260465d765416472ebe798f73f99184e
Tags
discovery pyinstaller pysilon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7482e665aa974507d5c7605acc2da8d260465d765416472ebe798f73f99184e

Threat Level: Known bad

The file Credit+Miner (1).rar was found to be: Known bad.

Malicious Activity Summary

discovery pyinstaller pysilon

Pysilon family

Detect Pysilon

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-22 19:09

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:12

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ae013eb47dd00c95858fa6efd27cb2cb
SHA1 bae04ec44a19b4c6f0d6c6a52b0ac2298b62e023
SHA256 a3b195fdc9fde2266fb6a658b0ff1785cbde482c24f94d7de1b24cb43a529083
SHA512 a33446a4d9ea84978634740a3a5a1f7fa6232df5acc5aa4ccb64af39e767c2d18c99c42b2e5fca1946fc192c2cca3907f3fb56e71e8acb74ab894389b6af8542

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:12

Platform

win7-20240708-en

Max time kernel

119s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cfc4f9c2bbff601dab2a5db71e085dbd
SHA1 d36725afb73c4e914f223c18f499feb9c6d69cfb
SHA256 ede451107361ea0b961c1b20bb1e686903d388bca7961bb57d54de55e87fc246
SHA512 1f33fb6c7f2a2da7cd4bca6edfb38dadbbd4dc6ecc1abf247883c5557ec51c8aba41c19145be6f2d58397c180c272e90db1ebd2ab4025f5b6617e287b93ebe69

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240705-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\Settings.json

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\Settings.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\v2\Settings.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v2\Settings.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dcd74793da938e1e592e90944ece2c37
SHA1 f9993119e5334629c13d6e199aa59cbee5df6810
SHA256 c80409a171df9a7fb0aa6210c54d84ddbcd4786d96092fe0ff4e2f57b5781438
SHA512 f242b95144f2c12d321b2554b86b6a524ff170b1209be7cbbcb1bd769cac9b7fe070b2fd09069eb95a336220b9c3a0dd70baa9af1261ec02316aabb933981c91

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240704-en

Max time kernel

104s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 35365c78f4efe1c61db364860132fe83
SHA1 56f9f2e1d675acd1bd99d9e19393aaca273c4698
SHA256 c8c82f862b0fe9ecab0155b3a318c96bd9019e2ec6006e0458d6b3a98fac4861
SHA512 90d0e7f22722b5ae995ea1d86596843ee2a1c7a62996d0e7a70a1a0a54d2da75d8e10b8321c78866aeb9944279083e50fe5c8879c388de895ced599866cbf15a

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240705-en

Max time kernel

117s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\Main.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\v2\Main.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\v2\Main.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v2\Main.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 808e33240ace17bb8627de68fb89d823
SHA1 d306bbac8faebd5c13988159ea18866d255b50cc
SHA256 4de79045ce4182cbc93abfd8922f36bf18d0c295c82d754e5b1a61cbc4004bbb
SHA512 746317ebc1ee763b0bece69af81a5e85ab7212042913c067b6c543d05dd320148bcb0438b61ef3318ce3ef3eaa90e5f172bd780d478512d8f12bd2ff80b04c10

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:12

Platform

win7-20240704-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 4586df4783017492cfc6243eb58698ce
SHA1 bf38b1cf19d9ca67ff476ca472ec24e898fa7786
SHA256 ae195a7efb2f13bdab76a0904f8ef6c109354b41a69c78b486f62dd20cef7ce6
SHA512 348e20e5d240b97ae0c10196c58c74f9ef21ada79a7c13fe43e29ad247cc380b9d6a4f00d4bbc0a6a996fa6e79d4de0831052e50fc773adbe9072843c66b8d87

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:12

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\misc.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\misc.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 67a414bf260af3a330cfa25f296c6228
SHA1 967a397b1a5ca1b60909f9d5b6c5010e1cef48a0
SHA256 24b3fa9cadd14ecbd1d065092667e097b2304bbf8694c2b14b1c9c427242e247
SHA512 57e73954b6c1b3daa2e69690464facf34161c086d1e52066de48b38f9cbe6677def884760c3346f5570773f46206e24ed276f824ce1bcfdf62628567e8dc70cb

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240708-en

Max time kernel

117s

Max time network

125s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\v2\tokens.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\v2\tokens.txt

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240729-en

Max time kernel

122s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Credit+Miner (1).rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Credit+Miner (1).rar"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Credit+Miner (1).rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Credit+Miner (1).rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Credit+Miner (1).rar"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1b0

Network

N/A

Files

memory/2580-30-0x000007FEFB260000-0x000007FEFB294000-memory.dmp

memory/2580-29-0x000000013F360000-0x000000013F458000-memory.dmp

memory/2580-32-0x000007FEFB240000-0x000007FEFB258000-memory.dmp

memory/2580-34-0x000007FEFB200000-0x000007FEFB211000-memory.dmp

memory/2580-33-0x000007FEFB220000-0x000007FEFB237000-memory.dmp

memory/2580-35-0x000007FEFB150000-0x000007FEFB167000-memory.dmp

memory/2580-36-0x000007FEFAF40000-0x000007FEFAF51000-memory.dmp

memory/2580-38-0x000007FEFAF00000-0x000007FEFAF11000-memory.dmp

memory/2580-31-0x000007FEF65D0000-0x000007FEF6886000-memory.dmp

memory/2580-39-0x000007FEF6290000-0x000007FEF649B000-memory.dmp

memory/2580-37-0x000007FEFAF20000-0x000007FEFAF3D000-memory.dmp

memory/2580-42-0x000007FEF72A0000-0x000007FEF72C1000-memory.dmp

memory/2580-43-0x000007FEF7280000-0x000007FEF7298000-memory.dmp

memory/2580-41-0x000007FEFAEB0000-0x000007FEFAEF1000-memory.dmp

memory/2580-45-0x000007FEF7240000-0x000007FEF7251000-memory.dmp

memory/2580-47-0x000007FEF7200000-0x000007FEF721B000-memory.dmp

memory/2580-46-0x000007FEF7220000-0x000007FEF7231000-memory.dmp

memory/2580-48-0x000007FEF6F80000-0x000007FEF6F91000-memory.dmp

memory/2580-49-0x000007FEF6EC0000-0x000007FEF6ED8000-memory.dmp

memory/2580-44-0x000007FEF7260000-0x000007FEF7271000-memory.dmp

memory/2580-50-0x000007FEF6260000-0x000007FEF6290000-memory.dmp

memory/2580-51-0x000007FEF5070000-0x000007FEF50D7000-memory.dmp

memory/2580-52-0x000007FEF4FF0000-0x000007FEF506C000-memory.dmp

memory/2580-53-0x000007FEF6240000-0x000007FEF6251000-memory.dmp

memory/2580-54-0x000007FEF4F90000-0x000007FEF4FE7000-memory.dmp

memory/2580-55-0x000007FEF4F60000-0x000007FEF4F88000-memory.dmp

memory/2580-56-0x000007FEF4F30000-0x000007FEF4F54000-memory.dmp

memory/2580-57-0x000007FEF6220000-0x000007FEF6238000-memory.dmp

memory/2580-58-0x000007FEF4F00000-0x000007FEF4F23000-memory.dmp

memory/2580-59-0x000007FEF4EE0000-0x000007FEF4EF1000-memory.dmp

memory/2580-60-0x000007FEF4EC0000-0x000007FEF4ED2000-memory.dmp

memory/2580-40-0x000007FEF50E0000-0x000007FEF6190000-memory.dmp

memory/2580-62-0x000007FEF2720000-0x000007FEF28A0000-memory.dmp

memory/2580-61-0x000007FEF28A0000-0x000007FEF410F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240704-en

Max time kernel

10s

Max time network

19s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\v2\Proxy.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\v2\Proxy.txt

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240729-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2\Run.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\v2\Run.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\v2\Run.exe

"C:\Users\Admin\AppData\Local\Temp\v2\Run.exe"

C:\Users\Admin\AppData\Local\Temp\v2\Run.exe

"C:\Users\Admin\AppData\Local\Temp\v2\Run.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI16482\python311.dll

MD5 387bb2c1e40bde1517f06b46313766be
SHA1 601f83ef61c7699652dec17edd5a45d6c20786c4
SHA256 0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364
SHA512 521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-22 19:09

Reported

2024-08-22 19:13

Platform

win7-20240708-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7affde603c7e2d23b56edce6b6cc7747
SHA1 c4dee69d73236892d83a1ecc02aa2ff2b0d0196d
SHA256 6a03cda9ea8486f97d242b5ada35b127c83b1174e3cbf146ed675258194d6bc0
SHA512 4fbcd8daf000dc0b989d7ed5538d1fe956c6ad3edb3e35b490e017ca4478768e4d4b18518344b800215d9a5b5c0a1c108a5d2bab6c893f82cf0d7979924deb47