f2540f6b574ae2829487b540f080e8084d2deb2364df5efa9dbe51a9f0632ee9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.pyc
Size

7KB
MD5

31ab1e8c77ff7d855f45061f32b72a44
SHA1

f57d065316bad54244b8655faef7b4c4f08373e1
SHA256

f0c5f1ac22d5980723b67a49e5e5e298f40fa20366505920eb0cd0db7cfc3095
SHA512

89afc27db76795cdd72f79832448f1ee0011c02a5d3d404af32c4aa6de4f6a1cf633652eb271a7f6efa4e46bedc852c77445035785cb598e97651b24b8d17ede
SSDEEP

192:w4ZiUD8W3qWdXw/rHj0i/ZJhwUKD4PMdwL8wnw:taWuHd/T2UpPPNw

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2592	AcroRd32.exe
2592	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2656	2648	cmd.exe	31
PID 2648 wrote to memory of 2656	2648	cmd.exe	31
PID 2648 wrote to memory of 2656	2648	cmd.exe	31
PID 2656 wrote to memory of 2592	2656	rundll32.exe	32
PID 2656 wrote to memory of 2592	2656	rundll32.exe	32
PID 2656 wrote to memory of 2592	2656	rundll32.exe	32
PID 2656 wrote to memory of 2592	2656	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8561c1fddd03faeefd1f6152d48442cf

SHA1
072e058a0c6f5699ffb378bde08eddb9029f5456

SHA256
5352ba6800b0e7e0ca1a7b041009ef6a7671f8ab2fe93385c3e01eabb28b958b

SHA512
15e68b824958b03d228380d1a95b7b0e39f3c20d6aef631bc0b33df227f46e36a8c879d897c66bb53664d9db287e8655c90ae772961a1532714636fa6da8627f

Download Submit