1f0aefeb08926a4be355ae1ab66994e3296196b44c53468fcc5ebf3ac16af0a9

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

873KB
MD5

ed3be9257cf356147bb4ea0c13027af0
SHA1

7839f02ed1f3145f1f8bae4c180ec477cc91e626
SHA256

179c27f493f671fe4ed7e7fd226a93db507bef7a125e9e2a6386b4c196f13dd0
SHA512

13be7ba642a4cf99badea150b358c8535df5118529152e04704c6b2ae36b63c484c4996567c175ae24f68b71bc450ad2ebc2c5c70f05babfdee8f377d1f4d881
SSDEEP

12288:5HXdGYsKWcRVZUFzT2Ozx6wHnnBu+oZEutxjlia5ErBGfSybtUKEVsHOKwaAc7va:tsYsanczyIBsEgUXeS6KxkVAI8

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	AcroRd32.exe
2812	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2736	1320	cmd.exe	32
PID 1320 wrote to memory of 2736	1320	cmd.exe	32
PID 1320 wrote to memory of 2736	1320	cmd.exe	32
PID 2736 wrote to memory of 2812	2736	rundll32.exe	33
PID 2736 wrote to memory of 2812	2736	rundll32.exe	33
PID 2736 wrote to memory of 2812	2736	rundll32.exe	33
PID 2736 wrote to memory of 2812	2736	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ae252d19bbbea103052ee759a847efcb

SHA1
ce72a1651dc1e8415e5944895b490da0c8f66868

SHA256
373b6ed6729b3c92e3de4dfcd883682b3364de2f7ecbba0fcf566796da7b50df

SHA512
bbe3da4cf4edbfe848ccbebc174ea2457cd37e3cf1ea16bf28bcd6c14fabc6366c851a5de272eb6a243572462d3a84ca9ee77d569677b4de67d9c7fbd58ea8a4

Download Submit