Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:54
Behavioral task
behavioral1
Sample
FnPuller.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
FnPuller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
FnPuller.pyc
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
FnPuller.pyc
Resource
win10v2004-20241007-en
General
-
Target
FnPuller.pyc
-
Size
28KB
-
MD5
bcc9dd0d1310bddac3a52fc95ce2bc0b
-
SHA1
bd3144b8f9c97084342fbc87c9af0e1c95b41520
-
SHA256
f0919b3ea04506a3498d7a42d792a7ac15661425884f42296b7683e08bcec228
-
SHA512
db6dc3528ab973db406f702d7f4d832b4f6ebe39f906782dd685c1a508282f386e612ddfa6c24facc831805b4d57769549844f3a56fd2c4894deafcdff15a8f7
-
SSDEEP
768:TWFBrYykyutXEH8SEQCsraKmIIF+EncA2:TlZyO+EoG6m+5
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2856 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2856 AcroRd32.exe 2856 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1628 wrote to memory of 2652 1628 cmd.exe rundll32.exe PID 1628 wrote to memory of 2652 1628 cmd.exe rundll32.exe PID 1628 wrote to memory of 2652 1628 cmd.exe rundll32.exe PID 2652 wrote to memory of 2856 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2856 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2856 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2856 2652 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FnPuller.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5096cff0d3fd7f24e190630e8b0e9f968
SHA158407779ccc820a3dbf75db62d026e12ae31a479
SHA25697039183b270944a392f4bcc9cdd382dc6deb7a2d9e019fe15f1c1028a9de797
SHA51251fcaa27b95e58529164857eaaa55604c400e0bed28e1282e9dbd6d111a40fd8b817805453f3ce42b3cc21344c02eb6e4d5bcb269150c099d88a035d799fb70b