8751f5824a27f1a54ea746495eb8bf015e55c56d1128ca39dab10a2bee112359

Resubmissions

11/11/2024, 10:44 UTC

241111-mswx8aybkj 10

25/10/2024, 13:05 UTC

241025-qbvklszdkh 10

23/10/2024, 19:44 UTC

241023-yf1anayfjp 10

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 10:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

168KB
MD5

11f6c56cafe9a1a6efebe7618868003b
SHA1

27d6b5d6d315bf5063737561dfce2d72e1ade7dd
SHA256

d97bfb28b1c258bf7964fa90325bcc22dd3e2ed22a954d0ed21b51c756a0cd88
SHA512

3efa1c586ff5493e01cc48857bcf449583c3e93bfafe96a5c630f6c6a4403d0960b1861303f66a344d07c556e1518c1b85aabf10a6409fdab4b30850f44d28c6
SSDEEP

3072:AexHVNaOO/5ESl1RdotPZTJ0pZXScT0o+IvdXzusTWP:BNaOO/5ESFdoCpUY0oysS

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1972	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1972	AcroRd32.exe
1972	AcroRd32.exe
1972	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2720	2852	cmd.exe	32
PID 2852 wrote to memory of 2720	2852	cmd.exe	32
PID 2852 wrote to memory of 2720	2852	cmd.exe	32
PID 2720 wrote to memory of 1972	2720	rundll32.exe	33
PID 2720 wrote to memory of 1972	2720	rundll32.exe	33
PID 2720 wrote to memory of 1972	2720	rundll32.exe	33
PID 2720 wrote to memory of 1972	2720	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
026a506b1e1c9ac013e44602d8b5fc41

SHA1
428614cda7dab4f752b8a46b0ba125a56576c276

SHA256
3782e4a3b5eb5895522ac795e07458cf5699af6e08345c5f587c56d7be69ec65

SHA512
80d6717730af5bee3926ac27ac100e849ec9cee7c84befdc9b98b3817d50358d4541a0f6919525c030be6aa6a359b73281c35df9cbc1102e831256ff04620040

Download Submit