59f1c83d17ea02c6c8d315617f5382c49c485a149df41843d19e1d4c02f7fcaa

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passwords_grabber.pyc
Size

8KB
MD5

1ca5633be35a5db415bc83be9852bf0e
SHA1

710a4da76579449bb0b45eecedd42aea82ba6b35
SHA256

07a93aa41dbdcd8962b2ad1fcbd7c1bf661130c1cf050a5a4ef6821d30893099
SHA512

9ac14821d21d9c7345b6cf51d9e1c31f908590fadca061ed4f5c50ea7cd28c92b169aa7985873876989e7108946090695a4c782d8251f5061d27cea7c2f35ccb
SSDEEP

192:+CE34EAL/GFf/PoXdLO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfsFO8NsxuOxNn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2536 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2536 AcroRd32.exe
2536 AcroRd32.exe

pid	process
2536	AcroRd32.exe

pid	process
2536	AcroRd32.exe
2536	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1472 wrote to memory of 2116	1472	cmd.exe	rundll32.exe
PID 1472 wrote to memory of 2116	1472	cmd.exe	rundll32.exe
PID 1472 wrote to memory of 2116	1472	cmd.exe	rundll32.exe
PID 2116 wrote to memory of 2536	2116	rundll32.exe	AcroRd32.exe
PID 2116 wrote to memory of 2536	2116	rundll32.exe	AcroRd32.exe
PID 2116 wrote to memory of 2536	2116	rundll32.exe	AcroRd32.exe
PID 2116 wrote to memory of 2536	2116	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2536

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
eba6f90bca9462587e84ee6d6dc4375f

SHA1
5b041756ab6833e9c8e8d951bcf682d4e427275f

SHA256
dbdc9ee5d354384ee46798987525262426227c0a9c91081eb9bd920d1504c1ab

SHA512
eb27789f39a3cc882f51a21cb1d9b6b00257d0c8735cbe6781e938dcfd981f6b00f4a44359923613c55f9a0330ade9b4a9b4aa4058897a3c85f02dc8e63e48a9

Download Submit