c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd

General

Target

c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe
Size

38.3MB
MD5

8ef2804f01784e97957a16ca44dc41bf
SHA1

6438f214cb5c1e09d136b94f0b4717db063d0993
SHA256

c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd
SHA512

a2db781b83e978e8fe1328a0806b4728015de93b433b0ee7b527299f57db29a19fbe8d262011c2c6d68df4b3cac270ed06d0e1d7f5e97392e27ee4e72c6659ef
SSDEEP

786432:nLlhB4VtKoI5m4F21NglZqYljcTCgoMJ5Ux3KKCYe7+mYsv9S5X3NB:L0tKoq21Qt4CJvAKCYe7+Go5n

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1256	Autoclickersetup.exe
2832	Stub.exe

Loads dropped DLL 3 IoCs

pid	Process
2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe
1256	Autoclickersetup.exe
2832	Stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2772	timeout.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\py_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	AcroRd32.exe
2512	AcroRd32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1256	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	31
PID 2432 wrote to memory of 1256	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	31
PID 2432 wrote to memory of 1256	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	31
PID 2432 wrote to memory of 2416	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	32
PID 2432 wrote to memory of 2416	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	32
PID 2432 wrote to memory of 2416	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	32
PID 2432 wrote to memory of 2480	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	33
PID 2432 wrote to memory of 2480	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	33
PID 2432 wrote to memory of 2480	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	33
PID 2432 wrote to memory of 2212	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	34
PID 2432 wrote to memory of 2212	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	34
PID 2432 wrote to memory of 2212	2432	c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe	34
PID 2212 wrote to memory of 2772	2212	cmd.exe	36
PID 2212 wrote to memory of 2772	2212	cmd.exe	36
PID 2212 wrote to memory of 2772	2212	cmd.exe	36
PID 1256 wrote to memory of 2832	1256	Autoclickersetup.exe	37
PID 1256 wrote to memory of 2832	1256	Autoclickersetup.exe	37
PID 1256 wrote to memory of 2832	1256	Autoclickersetup.exe	37
PID 2416 wrote to memory of 2512	2416	rundll32.exe	38
PID 2416 wrote to memory of 2512	2416	rundll32.exe	38
PID 2416 wrote to memory of 2512	2416	rundll32.exe	38
PID 2416 wrote to memory of 2512	2416	rundll32.exe	38
PID 2480 wrote to memory of 2860	2480	rundll32.exe	39
PID 2480 wrote to memory of 2860	2480	rundll32.exe	39
PID 2480 wrote to memory of 2860	2480	rundll32.exe	39
PID 2480 wrote to memory of 2860	2480	rundll32.exe	39

C:\Users\Admin\AppData\Local\Temp\c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe
"C:\Users\Admin\AppData\Local\Temp\c1b9767756e0c85dd2a04013e53cb97817a055135fde76046871279297addcfd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\Autoclickersetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Autoclickersetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\onefile_1256_133712473237248000\Stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Autoclickersetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2832
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\toggle.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\toggle.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2512
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\autowizardmacro.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\autowizardmacro.py"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autoclickersetup.exe

Filesize
38.4MB

MD5
5c86af29498bed9af530e273d2935989

SHA1
d7fe55bae0668a5b6972985ec8de622940492104

SHA256
e8d07f42903f50cb8ac1842acbd1890f00693df8a86fd1d8c4c3c52efdb23c59

SHA512
a9ceb58d7428c033b6458845209666b90115325148c2cd773297ebff702950b285c054d34e7ef0a22bc592c7576a1da80fcbfda21563d81ffb7985b2dabd656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\autowizardmacro.py

Filesize
1022B

MD5
57548ef8569dba8cbfbcd0dafbe242b6

SHA1
09bcbe02692df3b347bcd8b4b7bf7a9bd2af5820

SHA256
92a177095ca989cd0e07f3bf36bc2d8f3ecc33105ccbc1d1d906a3b9eab69535

SHA512
19dcedacedfb6a3d176c7492170f374b9e3c93ae8c75f065715c1d8c3077869fc06cf6df230360acb93038ae5d3d67c16b1e7264589c8125b49eb3e6003151f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1256_133712473237248000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.bat

Filesize
216B

MD5
294d092b45e7f135679f5090f34afa81

SHA1
e52b83bf1355426363f035b5841f69b30df18bf4

SHA256
155f31d0aaa0eb24275999c83fa1469173214a9d2ada8e92c4c695989fec1c57

SHA512
35ab23b3d3eaa97b24721fb5db8d4134de6be6c5386ab28b9b9d3c90c1632d3a901c545dffdb381d254046cb312ff8179cffcdaf2f032dc63554bc2417449b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\toggle.py

Filesize
993B

MD5
e8b5ad66c14f55adac0d510fc79cab44

SHA1
2c789463a88d30bbde34f3e2c3585166bb9ba395

SHA256
63ef691c1d3ee45909bf403517951cbadc7c88a13cf9d5b4f3c7bed1c67483e4

SHA512
a11cf3de54031ae7f7fb23acf286a44b8a4bf98a64a432e4bcf543f231f8bb998ae2bdda98f3cc34f1829c9654910f15a7be6e013b53b17048856aadbed064c9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6beb665f218ebb369b61fb86b14dad60

SHA1
7319c00a88f8dd1c2c0dccf25daf9e61220e3fa3

SHA256
efa0e8c2abca7c3417e752ca519550302decb17f868a01fe4523d40ad4891f2c

SHA512
21b9fa9bc9900535bf07961f20991db2c4e1bbfed5d367d60fa1e909f17e060716a46c13f0a7d153f70b9fe784804fcaaa2e2e8463a670de09dc4e92b5737f2b

Download Submit
memory/2432-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x00000000001D0000-0x0000000002826000-memory.dmp

Filesize
38.3MB

Download
memory/2432-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-22-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing