Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 23:00

General

  • Target

    _collections_abc.pyc

  • Size

    50KB

  • MD5

    60b1b6f71502b5af1e52305a2a0b1db3

  • SHA1

    7e3d6f0c2dbfa11bc5d46162c1b995c48ef0bf97

  • SHA256

    575c455c2d7630afb48bc76c7320544c57739c7660b4320d0aaec909234c0572

  • SHA512

    62e478a77c535c4bb1e1297d6f7cc5248c4122ec66192b34b28d6cf5019df96ee24503972af4b0f71a20806c12cbb40722436178a7b4b29f4af92a8dd75f5dcc

  • SSDEEP

    768:4W0g3LUXl5SPb9TycwdvkimlmAQ4sqL7+w/jEthRUeRKivBjjW:4W0g3LEGe1vkimlmAQRqLShRUGO

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    7555a96a0a3a8f383b96ea4e18af02ef

    SHA1

    bb651f08244e562c149030acfff78ca54770a70f

    SHA256

    1f8482891537bd78a456e3f36b2c66ffd0b7f0e9f25d162102adbeb1e269342b

    SHA512

    f37e4be8d14e7a892b2f4f3c9f821627d53f553ded7bfa70cc75ec2acf3f1029a7cb28334f5f88c1f5e3503d8dcbb800ed5d4d5eeeedc4450231c62e968c9077