50ccc8a2f06d1f0ca6c62319241c6ebeaea15d7dbdf6c6ad7bb5f345b7cf5f68

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

185KB
MD5

5463d3400ee6e2adf62c79303697815c
SHA1

b88d90078f849c378448c38c2e5e9609a4d3edda
SHA256

c028dc647cc9a22bae7052ecbec6a037b4572ca8741431f4f39a552b7c00d517
SHA512

91d65c80be62eaa544f48d322ba64060cbaaa00bbece6aa738eb9c32b1356a13bd4a806c6265a9796b91fd8c82808433384068422d7aa2a9aa31d178a9219b64
SSDEEP

3072:wTsALaui6A9MMXllogPEtelZN+tVZaXLigwDbHCkn0:wTDWuiLBlog8cN+7ZaXLigwDzCh

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1004	2552	cmd.exe	31
PID 2552 wrote to memory of 1004	2552	cmd.exe	31
PID 2552 wrote to memory of 1004	2552	cmd.exe	31
PID 1004 wrote to memory of 2724	1004	rundll32.exe	33
PID 1004 wrote to memory of 2724	1004	rundll32.exe	33
PID 1004 wrote to memory of 2724	1004	rundll32.exe	33
PID 1004 wrote to memory of 2724	1004	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
140cb478600e1dc098fc84fad9b21c2d

SHA1
9df33b8191959145a3a9851cca559aa4e842600d

SHA256
5c3d865f88b59620eaa6c7c0f2192d6b31f9e04932063737be3a1476a202390c

SHA512
26bfe49ef80d99c453c38eed7de3a24034c1e0dcea9d3c516d8d4ca2ddecb019c21fb88ae6e683c2dcc9f073434579a1ae63f849294e9bd5f06fb1bd394c7a53

Download Submit