b01ee9e4b7e57dc0d9a0415723cbc1e7df84c90b352d9b2a716e222360961de8

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PySilon-malware-main/resources/source_code/bsod.py
Size

782B
MD5

97d02293e28ece94f91f3a739897e595
SHA1

328eae0fc97dcbc5949eb5d29298eecda7ae8a08
SHA256

4f2b74ea05b9d5a79323c3e035e72903bc9a8d9ad834113b21a44006583c2714
SHA512

d3fc6dac3d4a6e587246816dbeaee280a295d7633f58a127c63481d9a864ba012e06ab3ea3b90724b25835f0ca45284be333cdd90e400705b6dcdb4ecb9b71db

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2988	AcroRd32.exe
2988	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2392	2264	cmd.exe	31
PID 2264 wrote to memory of 2392	2264	cmd.exe	31
PID 2264 wrote to memory of 2392	2264	cmd.exe	31
PID 2392 wrote to memory of 2988	2392	rundll32.exe	32
PID 2392 wrote to memory of 2988	2392	rundll32.exe	32
PID 2392 wrote to memory of 2988	2392	rundll32.exe	32
PID 2392 wrote to memory of 2988	2392	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PySilon-malware-main\resources\source_code\bsod.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6a990a1f13843adc57645e4db3d6240e

SHA1
caf8b261beea73853e17ed1c496d0bcd0dcde5ca

SHA256
9a60f9a19b13c4fe579d19093a68b7cb547ec5302c555f3d523f48a1dddd68d5

SHA512
2517ab6bd9191b40a0d6bf1ae906ba20c091937be47714b16e70b2b1c6ab7127bc6da8f40d4b5561c7c655f3dea1ad7e45d2d8ff78255acecba59eb6fe1f0e57

Download Submit