78d034e0ae926ef07622d3996b628f13b7132bbd8871c1988c38d4edb5c4ee93

Resubmissions

21-11-2024 22:01

241121-1xlvpsyje1 10

21-11-2024 19:51

241121-yks25sznhl 10

19-11-2024 23:42

241119-3p1d8szpeq 10

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

182KB
MD5

f51fa172d42273a07d2e0b082a809c62
SHA1

92f18fc7befa24c2b5719f6753915b9d59d74735
SHA256

a3dd64b49237f4fcf8f678e93602e2c8001d43422978a8b9325994aac82e2471
SHA512

0c6cf0b810adc465b98680b701d7906596ace5e169174c47678276d6e17ac01dbcaecf89e564d8c07f607bf0dcc5ffbabb5d67679318a9093f718fa7f865cf4a
SSDEEP

3072:0VL7NyA9MXSE2olJVqvpuSIVMZJiT0g5cbzdgC8nj:u/Nzw2olTquSImZJiT0g5cbuCg

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	AcroRd32.exe
2556	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3032	1976	cmd.exe	31
PID 1976 wrote to memory of 3032	1976	cmd.exe	31
PID 1976 wrote to memory of 3032	1976	cmd.exe	31
PID 3032 wrote to memory of 2556	3032	rundll32.exe	32
PID 3032 wrote to memory of 2556	3032	rundll32.exe	32
PID 3032 wrote to memory of 2556	3032	rundll32.exe	32
PID 3032 wrote to memory of 2556	3032	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1eb107112a8bc2ebf6653080a229837e

SHA1
9155443eb4a7603b718003647ded108fb9796ac9

SHA256
1e50c7fdddeed181af52b8f10bcd0650031799c3ee02c8733f52c87800eb3c25

SHA512
9db6ef4dd32406ae46f2dfdfa5b5527239bc8511321e7592d6c92e909ac3d214565a95f68391cadb16483eb562afcd9d086c2f8913f572ef1dcd70040bc6a03c

Download Submit