6ad00a113e2f70f9ed6af286fee6da9b45e81b2e71761d7519cf6b00dc46175f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

get_cookies.pyc
Size

5KB
MD5

ab0f8084441f8312bffc9d26193967ab
SHA1

82b9c1c9cd1f5a38ac2b415a96c88ce99d27455a
SHA256

6f67d11524ed42b8990be66aed829232514b364746fdceea30e0213204427be4
SHA512

1722dfe7200b5f8fef0cfc4188953621630c7ee8672586490b9309a40512eb7f99fc56ffe52f6a0970809a38e3bdd8ce1862ba6803fe6d09bdfacda1b3fe1732
SSDEEP

96:4Q0jzMv/ppR+xVBcnqhLchLPxrpTkBWeBDFZcj3KldyzoZ:sSZYXPhYhLP12zij3KnyA

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2900	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	AcroRd32.exe
2900	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2760	2096	cmd.exe	31
PID 2096 wrote to memory of 2760	2096	cmd.exe	31
PID 2096 wrote to memory of 2760	2096	cmd.exe	31
PID 2760 wrote to memory of 2900	2760	rundll32.exe	32
PID 2760 wrote to memory of 2900	2760	rundll32.exe	32
PID 2760 wrote to memory of 2900	2760	rundll32.exe	32
PID 2760 wrote to memory of 2900	2760	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
07de9b2edcc6bab21d32756488cf6acc

SHA1
dcc3a686cf8c62b68d5b694bd83de72c762bd003

SHA256
f9edfdb057c3ccb3f11c82859ffd80625807dba4532cb1ee628853fe3dd34959

SHA512
33a0af35a76173e3fafc4e65bfa113180590941572cca8b2e2fbc894bf93da633dad1e1a2035e03fc22572a87817cd85dc321b55af3208367ab8406b3018438d

Download Submit