336b29d98ff010182352bd37de82dab6e8aa0b05c0b5b63f3d2c2f1e04749be5

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

186KB
MD5

43436174a1df09e5e84d09abeec00ae1
SHA1

7a433ed4640a0019efe03a8908c90f31c89908ef
SHA256

96f58c90d385dbac09ccedf7329196cf81e0f14e9faaab720500f2920efe33fe
SHA512

2dc165a76acf016d8d37d54eb63ddb162e8941bbde3390c3c45bae2eb2c477cdda88f87fdfe2ab086d6658660d75323c85c630ebb1c561a69aa55be780609c57
SSDEEP

3072:wTYmL7zhaA9MmlRBoCJVqvpuSIVMZJ3RkgOcB4GCC8n0:wT1/zhr9BoCTquSImZJ3RkgOcmXCp

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	AcroRd32.exe
2812	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2816	1740	cmd.exe	32
PID 1740 wrote to memory of 2816	1740	cmd.exe	32
PID 1740 wrote to memory of 2816	1740	cmd.exe	32
PID 2816 wrote to memory of 2812	2816	rundll32.exe	33
PID 2816 wrote to memory of 2812	2816	rundll32.exe	33
PID 2816 wrote to memory of 2812	2816	rundll32.exe	33
PID 2816 wrote to memory of 2812	2816	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e344124b2850d0cc5d7bc486280acb1b

SHA1
0749677115904b2cd91a55bcb173e4a9bdb69e43

SHA256
8bca1e6b58b86d17bcd0101e3e03ff95b77ea91537ddedd733ab1ce7570b38c5

SHA512
3041ea4508913a73d66d55a346b79756ffaf55e48ae2f2b67fe64482b2889eeaea093f09fc8c1546ebdf01339dc31266b32a14338ed162b91dc8922d027621a2

Download Submit