717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/poshc2/Utils.py
Size

7KB
MD5

98bcce16c47eef2a8363ce539d5c89da
SHA1

2e3585e79f5e3942f27a1ac8e2aa4d10a44077ef
SHA256

61343f8989f9f64ea5e0051c1184bcdd2dac397a0bb1f2bcde031f431f3f401c
SHA512

645a467c7eb6e7848dfdbcaa5ae5d0f85c91dad63afb302d31295235872496c2876ca92b6b466c8b1da5e9a744849c173a33b9630d73679adf8dfc777a3b2f03
SSDEEP

192:JRtatOL98V0j2uQ4W97XAcLvlHNChkoe7z9lZ2:JRoEhcf+WlXtLJoWoe7J2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2800	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2800	AcroRd32.exe
2800	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 2100 wrote to memory of 2796	2100	cmd.exe	31
PID 2100 wrote to memory of 2796	2100	cmd.exe	31
PID 2100 wrote to memory of 2796	2100	cmd.exe	31
PID 2796 wrote to memory of 2800	2796	rundll32.exe	32
PID 2796 wrote to memory of 2800	2796	rundll32.exe	32
PID 2796 wrote to memory of 2800	2796	rundll32.exe	32
PID 2796 wrote to memory of 2800	2796	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\Utils.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\Utils.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\Utils.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6117488a92321f971660436735e9a50e

SHA1
9a59b34879f9fd07d79c991c8efa2a42baa55a6f

SHA256
a79bb30c74fe238a8978137c4a6f129d5d4e7617d881cee34ccb5e3f66e96268

SHA512
c30f53270346fcfad26c0ee8b3b53e3e2205dceb53db65d8f4b8b884f7f2fc9b07c94b6e0ba73bb8c5c72558b4dfb689209f06add03922d07424cefe2b23a6ef

Download Submit