Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 18:00
Behavioral task
behavioral1
Sample
Tropical External.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Tropical External.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stealer.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Stealer.pyc
Resource
win10v2004-20240508-en
General
-
Target
Stealer.pyc
-
Size
71KB
-
MD5
08efeae84deaffbb04080369bee72321
-
SHA1
64b8d052041de22e1027bad19b8d50493e2bb467
-
SHA256
6f97d33c902c8b561de53d8fede0e088ea1bc190fbdca5dbf1b7e42d7c62b5e7
-
SHA512
737e6dd9a3c8319e995fc5f391fee2f67ec665d40244d6fc323e1a22dfb5c2e06d0234b0a742acd5deae3aee1d84685fb92519561d5b7c5c7c859edb809e3f61
-
SSDEEP
768:T2zHKg6S6tRXI4MX6SfeD86FHL1WYG1htXTx8fPMBaS1XCZ0AnjtBnrQL4Yuhtb:T2zH76tRXIzJ6WP/xB4S1uF5FrKs
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2264 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2264 AcroRd32.exe 2264 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2140 wrote to memory of 2732 2140 cmd.exe rundll32.exe PID 2140 wrote to memory of 2732 2140 cmd.exe rundll32.exe PID 2140 wrote to memory of 2732 2140 cmd.exe rundll32.exe PID 2732 wrote to memory of 2264 2732 rundll32.exe AcroRd32.exe PID 2732 wrote to memory of 2264 2732 rundll32.exe AcroRd32.exe PID 2732 wrote to memory of 2264 2732 rundll32.exe AcroRd32.exe PID 2732 wrote to memory of 2264 2732 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stealer.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stealer.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stealer.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD53bcd2c28e672d58086c611d4edeadb6b
SHA165b414b0641f5c7de03158ac6d04a92d4c933c8b
SHA256edaf056300532aa462b3a312f193c50b6ecddbd7d845ad8ea59a02a0148be01a
SHA512b884fd8b5126d617e6e05d3c2d5470d962997127c15970ee144adcc731e081ed3acf70ff469b59e984e312406af390d01ea86950c615aca0db6f2bf09c67a27f