dc007eedcc5771b76b7168e4be1c6b4f9b5a38cc358e94f9efe3ee53d245773b

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16/11/2024, 02:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Condo generator/env/Lib/site-packages/PyInstaller/__pycache__/__init__.cpython-313.pyc
Size

1KB
MD5

cd22d1a829713d549aea1d99bb12da87
SHA1

81ce74260a8143b9033135fb0ad2a2320ac0ebb2
SHA256

0c5c0c02b85951c9d19c839a16137ed1d8e9f99e39b3d020e7893fc5cfbbdd10
SHA512

70b5d7ae89f0d95b9c214bdbf7078aaeeecce1630b211a8be3bb808071d0f4ecf25e0f8fce9f79eb9f9073d958419d6589086c1f9bd914aa17ccc261bb1c8b57

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	AcroRd32.exe
3040	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2312	2412	cmd.exe	31
PID 2412 wrote to memory of 2312	2412	cmd.exe	31
PID 2412 wrote to memory of 2312	2412	cmd.exe	31
PID 2312 wrote to memory of 3040	2312	rundll32.exe	33
PID 2312 wrote to memory of 3040	2312	rundll32.exe	33
PID 2312 wrote to memory of 3040	2312	rundll32.exe	33
PID 2312 wrote to memory of 3040	2312	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Condo generator\env\Lib\site-packages\PyInstaller\__pycache__\__init__.cpython-313.pyc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Condo generator\env\Lib\site-packages\PyInstaller\__pycache__\__init__.cpython-313.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Condo generator\env\Lib\site-packages\PyInstaller\__pycache__\__init__.cpython-313.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1a16d3ec01b156c1b0aa5ca91bc4e12f

SHA1
edcf9f9437a25dff4ac83e0b2a5f688933c85bc3

SHA256
6f67c6fe1119d7e53f4a707e8c6024eeaad4c0ee843a6c50a624e358a3f73e02

SHA512
8aabb668f6edbbe9706587e52ce7876c01fbc602bee5513ca104333424cafa407fe010ddeb299070f1152da367566206f96cc532da3108e99bb8f2614d9d2b70

Download Submit