6ad00a113e2f70f9ed6af286fee6da9b45e81b2e71761d7519cf6b00dc46175f

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

protections.pyc
Size

1KB
MD5

355040df14f6bd722a2a0b7f1d6eb1e8
SHA1

8e97bccd9f197cdf68c8c59c3977d777a93c01a6
SHA256

1e31ae35f20601b1ae87becba9a28864b19efabb04bb4c9ebee53f49557f236e
SHA512

d8a046d8abc510fcb57215be1936f73be8d0aa731a13cf1d347a3d99f5dc5f0d7faac208f8185be21434890d6f0688a9552fa882f4b797bff3b6fd2b9d809a61

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	AcroRd32.exe
2736	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2780	3032	cmd.exe	31
PID 3032 wrote to memory of 2780	3032	cmd.exe	31
PID 3032 wrote to memory of 2780	3032	cmd.exe	31
PID 2780 wrote to memory of 2736	2780	rundll32.exe	32
PID 2780 wrote to memory of 2736	2780	rundll32.exe	32
PID 2780 wrote to memory of 2736	2780	rundll32.exe	32
PID 2780 wrote to memory of 2736	2780	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\protections.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\protections.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\protections.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
092e12379d12c1b1fcfdb8f6ed08db85

SHA1
b60977d708a42ab35f067d7dc14df3f7c30a6d4c

SHA256
d158f0fe9715d050c3d197ebf943b7cc3d2c8dd546f41d9bf6c969d19165962f

SHA512
96cf953eff4a15c02d5335ba567fd1cf3100c147068d5aa851a6dcd2fd023402fd4e1dd0ec076b25b3e1db80eeef03836eb30beba7ed698e7cea823f13014f81

Download Submit