10a22d1e474fcf99f281d21e8abe3b4178216de0bab6c1840f788512ee9996d0

Resubmissions

05/12/2024, 22:16

241205-16txns1lem 10

05/12/2024, 22:14

241205-1534ysvjhs 10

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

65KB
MD5

440043df3d3a8d8f789454040f101b5b
SHA1

ff70ac70be4931aa739ddf7945e02b2e1adaae33
SHA256

1a1d9b9a09ef44aafffb192dc6418f524e78d1f182c507bacc876818d8aa47d2
SHA512

6193763ec204754627b6ca59b7658bc890f0028d92cde429c72d74559f109990974c74bf4b263f929fda065836e8435141720921b7ec8490f2a0b0706d369e98
SSDEEP

1536:IacgVgJPkBBj1uYCFjUIOihdBsoGwjRQ53:gg2FkBkFwIOCsoD0

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	AcroRd32.exe
2224	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3068	1984	cmd.exe	31
PID 1984 wrote to memory of 3068	1984	cmd.exe	31
PID 1984 wrote to memory of 3068	1984	cmd.exe	31
PID 3068 wrote to memory of 2224	3068	rundll32.exe	32
PID 3068 wrote to memory of 2224	3068	rundll32.exe	32
PID 3068 wrote to memory of 2224	3068	rundll32.exe	32
PID 3068 wrote to memory of 2224	3068	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cd594a95729e71d4f8d8471ba3803e7d

SHA1
80b83d5b68e2b46ffb08b077136ff204208b4a38

SHA256
8c8ca1dee15a3d325e43dc260708f3b020ac17a8334fff6176383586e7258cf7

SHA512
2addf3ddf59e43c2dd825beec522672761153c0ecba1eef17bc3c3d27556a2291674d656f44e96e158f0d8e68da608577e8b0d5d17af7b4d5097377f98d29b06

Download Submit