e9b6cb2f91ebaa79ecb38d2170b496ed493ec76c0d32ab2cdab59e651e0e3b1f

Analysis

max time kernel
20s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoclicker.pyc
Size

7KB
MD5

90a074cd5b068780c36ed66a798864bc
SHA1

746d46c6f51311f2e76c4fd5ef26bf6e3f5dbf3f
SHA256

c23ca746df29ad14ff1f8533a92c5fcf463c55d6ea7635c0399817247c0791ee
SHA512

ff26ef21cb7b5f554b64b31f9e69155095479c1e9a8404837b67d38e8bebe7d191d083c7b7aaac963d23916ada2c50e12e45f6d09ad3e5dbcc17df20cd46285c
SSDEEP

96:MG/BK4vj6QbQs1FNjwqQdoMpLoGLCm3mWlG8U3m15o7eiuYe:f/jvdQs1FtjgoyoGhHG8U3FyiuYe

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	AcroRd32.exe
2816	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 372	2132	cmd.exe	31
PID 2132 wrote to memory of 372	2132	cmd.exe	31
PID 2132 wrote to memory of 372	2132	cmd.exe	31
PID 372 wrote to memory of 2816	372	rundll32.exe	33
PID 372 wrote to memory of 2816	372	rundll32.exe	33
PID 372 wrote to memory of 2816	372	rundll32.exe	33
PID 372 wrote to memory of 2816	372	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\autoclicker.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\autoclicker.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\autoclicker.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c66dc07fcc443e8d304269af59e0d8f9

SHA1
dbe322c130c77cba2a48f2ef32639e8f249a85f9

SHA256
8df28acd21a53ad9c8716086c8c7018718d4e1c7b8baf7ccf486fa2d3cb95167

SHA512
88536a413b1031bbe7deed372c9358d93e3455fb5187b3b08e6ac2ec9939d4c4e7a3be31d450c445318b0ccb49339859c6e5359ad54cb7c66f52e2fbd2e44f8c

Download Submit