39ec76a40c9ca23930ef6191263e8b613d7cf2280cc1371dc9ee3b6ea7827d24

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lib/ntpath.pyc
Size

13KB
MD5

e5d99efbf612906aa70335265b51282e
SHA1

897bdc2323c946f8478fc0b3b5936a227fafaa55
SHA256

e10d48bd12451d61c4a1a81660513ad2a7502c8d4c9be6619f45975e4150b420
SHA512

ed5e42c7f1fbf132ec874a87f80c20b7b154caba5843d0bd5059a8fc1f31ecbf7e23ae809890e4f9a18a2cf32d9672505503ca824635ec3b622eaba2fed78c78
SSDEEP

384:XFOBBBf3KC904OuN19IlGWz7yWS0YrdZ+O1PxMB5rK8gjV:w7l3WvuN19IlGW/yWSZjRxMHuL

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2544	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	AcroRd32.exe
2544	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1072	2428	cmd.exe	31
PID 2428 wrote to memory of 1072	2428	cmd.exe	31
PID 2428 wrote to memory of 1072	2428	cmd.exe	31
PID 1072 wrote to memory of 2544	1072	rundll32.exe	32
PID 1072 wrote to memory of 2544	1072	rundll32.exe	32
PID 1072 wrote to memory of 2544	1072	rundll32.exe	32
PID 1072 wrote to memory of 2544	1072	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lib\ntpath.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lib\ntpath.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lib\ntpath.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
127ac530f20276e39de974804162d272

SHA1
c4f2523d2c0b4288f7370b028e09e78f70258e43

SHA256
df4e45af6945b0ef0a20f01404271df5357b330a555fead2e5cad001d4f4caf8

SHA512
9fcaa2c7ac3724d6afb192c13e09b9d2c96988c42dab1474256ff5100d5a7365913f21ee48f01e8d240ff231f695feaf8c6ca92e2b9eb1f1b94d0eac7c97b7b9

Download Submit