5641362511a32a806a5bf59e45b34628917e5ecfcc9fa48b8468c83811098467

Analysis

max time kernel
34s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

63KB
MD5

fdc09f129473e524c491ae79f44b8a59
SHA1

29f6ae8b3b942f808d0cdc283970ff71e668dbbf
SHA256

cc880696781b56da890b2debae0fbad6a9f714ebfefe398d1e56dbdc467bf2d2
SHA512

65cea897d4a6285109a4b4dcce85580d69cb9b8cf0cfc85840885fb3b702ca6ed3bec71abc91326f6d0015065c493588b471e5fdb76e99e321d53344d17026f3
SSDEEP

768:wbXmUqlPniou3Ti2zXwhdG87YbL7l9FZwDU6jqnWo5bleSCkO579qfikwth9iNdt:wJqlPV6jwK8kZdKEpqan4hogoocOzV78

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	AcroRd32.exe
2860	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2828	2936	cmd.exe	31
PID 2936 wrote to memory of 2828	2936	cmd.exe	31
PID 2936 wrote to memory of 2828	2936	cmd.exe	31
PID 2828 wrote to memory of 2860	2828	rundll32.exe	32
PID 2828 wrote to memory of 2860	2828	rundll32.exe	32
PID 2828 wrote to memory of 2860	2828	rundll32.exe	32
PID 2828 wrote to memory of 2860	2828	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5752608dc9f40066d69044680d9b362b

SHA1
0c0b7f8899eee385be4b996ce2ab1713f88e7018

SHA256
05e7cacdd0598f661d4cde7952708808ce3535dc68fe8906bb406b1869285dea

SHA512
a633243bf49667dac2c3eb61f2993ff2d1b574cfbf50d7e1d77b45c7151493e5abc2aef3b6b1bcd8eecef72a94ca9579122bc1afe4c06cd974fe443482e49a4d

Download Submit