Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:55
Behavioral task
behavioral1
Sample
Blackwycghe.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Blackwycghe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240611-en
General
-
Target
Stub.pyc
-
Size
179KB
-
MD5
5ff220de07fce3486505f9bdac298e7a
-
SHA1
5ed4df1e43e9160aa695564d22d2c62f8293b216
-
SHA256
4e26a9c63f642fe1f707ae78d1482232703797619800cbfe983c5d5f7946d4b3
-
SHA512
9efbca56b2bb90566d7fb1dc9d490b9c87760334d48fbf5c062165c51629a9b5fa860b6d3ac3a10fc6b2ee367128005af04f417e4c404b32444b95ef649c881f
-
SSDEEP
3072:dcH3I+7JxnEjXSbvjK2BO34Z7uuG6ZX3e5VKN5wjZ8LptP/hMmfod/9DYO+n:dcHB7f8CfK2B+5VTohfs+n
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 624 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 624 AcroRd32.exe 624 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1968 wrote to memory of 2636 1968 cmd.exe rundll32.exe PID 1968 wrote to memory of 2636 1968 cmd.exe rundll32.exe PID 1968 wrote to memory of 2636 1968 cmd.exe rundll32.exe PID 2636 wrote to memory of 624 2636 rundll32.exe AcroRd32.exe PID 2636 wrote to memory of 624 2636 rundll32.exe AcroRd32.exe PID 2636 wrote to memory of 624 2636 rundll32.exe AcroRd32.exe PID 2636 wrote to memory of 624 2636 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5a979e3769237dd1b040bbc3e57c0adc2
SHA1449ed68a58a3b933fdc2150d9b85b2b3609a58f7
SHA256b0634fbbd1c8ff0d03588313fc4a5846f6777e26da4d8e75aca0164a7263d96d
SHA51225d897073753ec6ab977d1f6d33cd0cd472fc2a83dd49a80b948e20c67cd1c66ebba30f388aa75a3806c2f0a0495acb99a71b9e358fcf97ea4f4fea0a8675da3