c766263f5e7a70f0f77c53571d7fd10f7434df7d0a9d93139ef4655553840273

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TheBigTool-main/Settings/Program/Config/__pycache__/Util.cpython-312.pyc
Size

54KB
MD5

ae4cc7a51e0e19ecc1f145fd67c93491
SHA1

616e5b223b567d944cbfcb02caefe4f5c723b3ce
SHA256

824e1a470f7c7500d5c03f7d4e55a8cf6ffda8da6ef0c6f87d6ecf293577585d
SHA512

2fd755c8554b683079ceb781b490c5ad08cb932bba2a3fa448a30c9d45bfd4233fa2fc2a0f32af0cc90ffd25206c4fa8593f4658d9b480d15450a6fc05231fca
SSDEEP

768:gzYJbifQ4xBicRRWcTswmOHRTCGuKsR4j+52uzmV2fT5Mma9O:HJsVoHjB4jvw9fT5VUO

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2732	AcroRd32.exe
2732	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2756	2216	cmd.exe	32
PID 2216 wrote to memory of 2756	2216	cmd.exe	32
PID 2216 wrote to memory of 2756	2216	cmd.exe	32
PID 2756 wrote to memory of 2732	2756	rundll32.exe	33
PID 2756 wrote to memory of 2732	2756	rundll32.exe	33
PID 2756 wrote to memory of 2732	2756	rundll32.exe	33
PID 2756 wrote to memory of 2732	2756	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Config\__pycache__\Util.cpython-312.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Config\__pycache__\Util.cpython-312.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Config\__pycache__\Util.cpython-312.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1f161b69f87fd1b3b5a402b18a18a367

SHA1
84e81c62d3f5f8c8a89acfec1fbdecd54591fc4f

SHA256
89556a7396c07542f9525d761446dc1310b88b74c8f9fcc89b84f78f951f3670

SHA512
45957f0f4214e3381013099e719858ab2e575fa63d3b937d1e07e77dc836b6f430dc708c60bc2542ca3a1f5d100dc4bb31e7bdd1003c85d606c36e08f5db330c

Download Submit