d0e459e7345a0ad0414b4a57cdc3884b1545442b493b8d0b77a8ef75161941e7

Analysis

max time kernel
102s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Linear/lib/PIL/ImageEnhance.pyc
Size

5KB
MD5

fdbda50c4237f5464ebfaff5b11fdee5
SHA1

de7ee91cb1c9459f1a51300dbc2fcd1ab687f40b
SHA256

37e217d7fbe83e9b25f7604fa593e350b08216e0d3af2381a02349ea1c1c2332
SHA512

3b560947a4b2582ed1081d0d3c8f15d63163086eec6349f0922844498b4fff39262b2d8eee51f1f6c9ae8f4fe495178233e49682fe39c87c2f64640d7810c3c8
SSDEEP

48:HIyzl5/d32zVKZqEt2/MDUqV2yrmiu0mEq64PigYM3fS4aS86u:HIyzl5l3kVKgEYQxu9igYmnA

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	AcroRd32.exe
2868	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2936	2000	cmd.exe	31
PID 2000 wrote to memory of 2936	2000	cmd.exe	31
PID 2000 wrote to memory of 2936	2000	cmd.exe	31
PID 2936 wrote to memory of 2868	2936	rundll32.exe	32
PID 2936 wrote to memory of 2868	2936	rundll32.exe	32
PID 2936 wrote to memory of 2868	2936	rundll32.exe	32
PID 2936 wrote to memory of 2868	2936	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Linear\lib\PIL\ImageEnhance.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Linear\lib\PIL\ImageEnhance.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Linear\lib\PIL\ImageEnhance.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
677652848ec875ca46021a322f067403

SHA1
386ec54db82c7b050897bf29e56886aafca66015

SHA256
9993ed64e35bc03efc6431d931574eec4e5ba8cb0788ac547d6423d072d25922

SHA512
aec21248f7e9615f88f54dd87b7574fe8c0f6b80fef2e393d8d96c9fa3547112b5870a8b809dfda248abc915a1d108ee9eb3ef09a7275096ded290d3baedab4f

Download Submit