17140c416cee13fc7d2a544141721b46fbc263fb9ce9d0d0abb389c8bb5914db

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 17:35

Target

xniggerskid.pyc
Size

261B
MD5

c3a7a6e878f290dfb85230d416fea4c2
SHA1

b5a21ce5c3258d4b5ed92ecfa6b7dc35b994c5bc
SHA256

17140c416cee13fc7d2a544141721b46fbc263fb9ce9d0d0abb389c8bb5914db
SHA512

1950e4b37093b3d778c8712e56c6ce74a8e810c013e89631add228502e39abde1a6071338019c94eba48a62e6a6c6d904ed2dd7b409a9c38f7ad7219218e1171

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3068	1984	cmd.exe	31
PID 1984 wrote to memory of 3068	1984	cmd.exe	31
PID 1984 wrote to memory of 3068	1984	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
  2⤵
  - Modifies registry class
  PID:3068

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact