e848e89a75f49e51365a4be66cf58ab737c7ad216d10afdb8ac7c25f2e8bbfde

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 17:34

Target

xniggerskid.pyc
Size

261B
MD5

8b8d984971b306d45206ee86ff411741
SHA1

859b9fdaea8933b3407a51ae3c1fedb13c29f257
SHA256

e848e89a75f49e51365a4be66cf58ab737c7ad216d10afdb8ac7c25f2e8bbfde
SHA512

ebae5717f6e7162a834c1da31e879ca98a23dc6ccf017679d0512b8c59f23c885a0209b9dc22c78bd3b9d3c248536c39a180c42e3d0f5f3369015c4fedd35008

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2824	2528	cmd.exe	30
PID 2528 wrote to memory of 2824	2528	cmd.exe	30
PID 2528 wrote to memory of 2824	2528	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xniggerskid.pyc
  2⤵
  - Modifies registry class
  PID:2824

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact