717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/poshc2/client/command_handlers/CommandTags.py
Size

567B
MD5

f7775af7f042c7eb56af60a9f9c29b21
SHA1

5bcd77293af2169d107591696f8aa22b68ad1b4f
SHA256

54701bc1c26ec192f33fec4f1d0b8553e881b85352f8847c6a49bdea25c40337
SHA512

0414d5a563761ddb5087a32538c21f4a17d05e171044beec94baa2df767a2efd66fdf5cf31ac52d9e22375bc0110f5b14000119f2a244541384c3c2f03b8d326

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2720	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2720	AcroRd32.exe
2720	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 2664	1728	cmd.exe	31
PID 1728 wrote to memory of 2664	1728	cmd.exe	31
PID 1728 wrote to memory of 2664	1728	cmd.exe	31
PID 2664 wrote to memory of 2720	2664	rundll32.exe	32
PID 2664 wrote to memory of 2720	2664	rundll32.exe	32
PID 2664 wrote to memory of 2720	2664	rundll32.exe	32
PID 2664 wrote to memory of 2720	2664	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\command_handlers\CommandTags.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\command_handlers\CommandTags.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PoshC2-master\poshc2\client\command_handlers\CommandTags.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4573affd6ace45556372de724e5432f5

SHA1
20a4216645c8e48cdb2203f72606f8e18eaa28bf

SHA256
a679f4abc0223ec455fb31b02f5a2450cc561e6272d8a77bd6e60910b476e950

SHA512
e7dcec5629d50b41e82e0dc4bd7d4727b8f748dd7e3728fd62113ed148b124bc78d96964848b2edda20a16bcd4ec4c468530a3299fb8898d229d1ed432d77f0f

Download Submit