c64a7a84d98c5b4adfb368c546d021d3992e10677e458c2184f8a67068799d8c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

172KB
MD5

e71af41e6590f3fbd27659b6353b6842
SHA1

d35b429dd110c77c9cf45427d04ecbef41b8c9a5
SHA256

8bf0290c7289b68b3a02a29d30d287c151e33025fcea96e531e4f0387b74305c
SHA512

7e59300ed2fe89c25c7dbebd0d0504bd9abee0a7ccf29dcdb3ab72ae2930a52529e6ada670229864394756ec0eae4ca8ef76f249a97b957f922f94fde34ff09f
SSDEEP

3072:nFfBHWC0aOO/2A1w17roxPZTerUScdQQV+yXIvdXzbxsTxw:nyC0aOO/2AiroSj8Sywse

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2908	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	AcroRd32.exe
2908	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1700	2444	cmd.exe	31
PID 2444 wrote to memory of 1700	2444	cmd.exe	31
PID 2444 wrote to memory of 1700	2444	cmd.exe	31
PID 1700 wrote to memory of 2908	1700	rundll32.exe	33
PID 1700 wrote to memory of 2908	1700	rundll32.exe	33
PID 1700 wrote to memory of 2908	1700	rundll32.exe	33
PID 1700 wrote to memory of 2908	1700	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
00fdee1ae7f66c280a5ed50669dc5715

SHA1
db8ff5b058f819a4aab1db80ac372a4d1562d8e1

SHA256
b990261a352a88f29bf5a2c641076044cd734e86a2ec658f09ed5b13e2ad76b0

SHA512
01612e4e08522ca11c13604e95c052ef30ab7edfdc6eb6f59f036315f223cbdc466dfdada1fa44df5459fae8a4d6449fc41db12914eb0a3e31066abb1701ee2d

Download Submit