bf285c1bc797434aa522968ec26c1338c6c7d1a672be168562baa57ec5d9eecb

Resubmissions

16-02-2025 17:21

250216-vxb3lstpey 10

16-02-2025 17:18

250216-vvj1fatpa1 10

27-06-2024 13:41

240627-qzlbvaweqr 10

Analysis

max time kernel
104s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-02-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

63KB
MD5

bfc73dd4f48b4cb7db081c826614bd0e
SHA1

34113c3488023823093b4d31df6d3fed56d04093
SHA256

d731ea94949cfd6e883dcb2809964f66e8304a971ca91e970158ee4aab568bd3
SHA512

0069b9f1cf876a1c44df421882bf6ef47369828d8802168cfe52b7ea2e8cba41d3357839dc97d0e2e408e2234c80649ee69ab06ca73053c214d572b0ea8dc5b1
SSDEEP

768:cpkPIlgVgeE6fREyLJjN4TFch+eXZldsN4uJ3EcUFNy92yKZj1DoEUgqXAz7ZEAu:chgVggEo8TFxikqcUFzFZDo7Afzhk

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	AcroRd32.exe
2840	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 1372	108	cmd.exe	30
PID 108 wrote to memory of 1372	108	cmd.exe	30
PID 108 wrote to memory of 1372	108	cmd.exe	30
PID 1372 wrote to memory of 2840	1372	rundll32.exe	31
PID 1372 wrote to memory of 2840	1372	rundll32.exe	31
PID 1372 wrote to memory of 2840	1372	rundll32.exe	31
PID 1372 wrote to memory of 2840	1372	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
51b1b7b84b0c6a1b1ce89b0768c00d7d

SHA1
dc9f21d7bd549f87d32e6553f85f0a5c6282eab5

SHA256
2e46b9e7d6e00e574c285cacc0dee5334bdca52dd44b6aceee6464e46051278f

SHA512
69fb409dcaeaaba6afda78790ed6c9b8ae3c3022c90f4c5612b2c22cd1b83bd383f289ee5eb7ccd236a1b015f16eb72b08f80b7f0262767a7c778ec1b6ca0862

Download Submit