fb5164e67af401005d2b5d4b328a2f9dbb48a8468f7c7010f7711507f146d6fb

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/01/2025, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub.pyc
Size

798KB
MD5

bb21c0649989972a29315802dfed2b17
SHA1

f9c4e407e787413daff90c9fae1becdf0e47a62d
SHA256

340afc1723cfa9dfe70e6453c3c55606cd9324eb248ab4b5fa168ae51fa8a103
SHA512

1a79d416ed8b49f0d65767e8991302287eba84e54339917492b8f1938f439f625476d4935a698e8ddfa0265c241e1c79208bcba9a6dfe7cc88b11736de615308
SSDEEP

24576:XH6hUrxukyQly2rxUDTfGnvb89droab/0U7c+r:jxaDjGG7r/r

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	AcroRd32.exe
2148	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2336	2380	cmd.exe	30
PID 2380 wrote to memory of 2336	2380	cmd.exe	30
PID 2380 wrote to memory of 2336	2380	cmd.exe	30
PID 2336 wrote to memory of 2148	2336	rundll32.exe	31
PID 2336 wrote to memory of 2148	2336	rundll32.exe	31
PID 2336 wrote to memory of 2148	2336	rundll32.exe	31
PID 2336 wrote to memory of 2148	2336	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d62d90fa2ac3eb8811ad6239ab49f9af

SHA1
75f482a96b4dbcf0c1290c8c337e2565eef00377

SHA256
d577bec3802490f99e82602e38e9e94b4f2526cd3c87530deb9f0b5e24560292

SHA512
a57b963d0fb0b5854cb1d37263ebd82497c1ae7e759e94ab7ac7797e5a67f944357b12e1b215073b22c677e99aaf29965925a11a459678066af054c82d1b4e02

Download Submit