Analysis

  • max time kernel
    103s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 21:26

General

  • Target

    loader-o.pyc

  • Size

    63KB

  • MD5

    8de2b2c9af7704e4c2ba5a86f94a216b

  • SHA1

    ff16489804fc2708ec5091f996a3186d7caf7d74

  • SHA256

    9317d8ca4325112f32d959f94de7b5a3e9df47f4ea29cda9b6546b9129e759e0

  • SHA512

    cdb5119edecec96f95463b56720c1cb90f41d42ae331f81e302e3daccc457fe2476e73e6e1b8a16a80b97dd7e02c4a3c9900616439278e8ef35794455c2f1484

  • SSDEEP

    768:XSRsdpf+li6q7MTvZUwxbKnV5qmd49qrwcMdmgug4FCbTfqf3:XSR0f+liaTvZZs5iIrquHCbOf3

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\loader-o.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\loader-o.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\loader-o.pyc"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2920

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

          Filesize

          3KB

          MD5

          e0bfe2254cb21ba149602b7aae2f2b2d

          SHA1

          9f80c3e4e9d51372226696927aea772a2eeecb5b

          SHA256

          41357852b0b273ff83b76ac6dc475f06a93096b737bfa70b43a1c744856837b8

          SHA512

          e3361ffb9227018996b1dfbef3d4ac49abe0a8533a38a8edf973c38efb1e4ef89bc4507f236f96dd60d9709c1fb0c2a7561b2414c9d569dd2df12139745fa535