717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/poshc2/client/Opsec.py
Size

133B
MD5

aa24adaae7b83106054409dc09a027e2
SHA1

9d06cc8df3049dbd3dc1db3b13a6f1110bc1143c
SHA256

a55f8c2385d45d33778353672d566540d0cefbeca82c71b37811a2ad469e8c7c
SHA512

5d3a33c21e3f82fa1c47dd8f10af200a2854fbdfaed879c096f5a56db282f5478283b343b76432fa63c5e8de9232ff00662fecb084b8e4bcdbc2a1cf3c62ac7b

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2980	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2980	AcroRd32.exe
2980	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 1256 wrote to memory of 2868	1256	cmd.exe	32
PID 1256 wrote to memory of 2868	1256	cmd.exe	32
PID 1256 wrote to memory of 2868	1256	cmd.exe	32
PID 2868 wrote to memory of 2980	2868	rundll32.exe	33
PID 2868 wrote to memory of 2980	2868	rundll32.exe	33
PID 2868 wrote to memory of 2980	2868	rundll32.exe	33
PID 2868 wrote to memory of 2980	2868	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\Opsec.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\Opsec.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\Opsec.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4c325bcdb26668d081e3f7897320ef94

SHA1
325bbb4bd9bf71f94393659165a36feaf255430d

SHA256
b8af0f6fa5839b29b9840d26641667554e437836da5fb0cb3c3644ad132a0f99

SHA512
8776b8e8b88dcc655de63536bdfdc247577038fad9e406dcb260ce5aa463b6ee6485f57c21225457b85be87866dc54e2079d16f7ec22774bb6d518d3fce83f13

Download Submit