59f1c83d17ea02c6c8d315617f5382c49c485a149df41843d19e1d4c02f7fcaa

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.pyc
Size

180KB
MD5

96fa06a3158c724d679bce6120d6bba9
SHA1

9a83a089b05933e154d75d9b6f613e413acb26b0
SHA256

266790e4221f2617a836529d3d2e2d554c41482651f617a761670784e9d3ea26
SHA512

dd15a1925ed5afa9121026c72cf9ed8059b5c4c785b55fa6997c7f037984ca31d83fe8bd04030fb37fbb4a1eb843fe56a7ec6e26183e795235bfe39c982308f3
SSDEEP

3072:SHyL76bA9KcGaoGjjE/ZoSdxZJEgMgdcnC2C8nW:T/6e+aoGXgoSjZJEgMgdcnPCz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2700 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2700 AcroRd32.exe
2700 AcroRd32.exe

pid	process
2700	AcroRd32.exe

pid	process
2700	AcroRd32.exe
2700	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2480 wrote to memory of 3064	2480	cmd.exe	rundll32.exe
PID 2480 wrote to memory of 3064	2480	cmd.exe	rundll32.exe
PID 2480 wrote to memory of 3064	2480	cmd.exe	rundll32.exe
PID 3064 wrote to memory of 2700	3064	rundll32.exe	AcroRd32.exe
PID 3064 wrote to memory of 2700	3064	rundll32.exe	AcroRd32.exe
PID 3064 wrote to memory of 2700	3064	rundll32.exe	AcroRd32.exe
PID 3064 wrote to memory of 2700	3064	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2700

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
bba247891baba0398cac29fdd33b2b33

SHA1
7224bb705f069e580350eab44e398253cf2f3002

SHA256
d7f86a996b965211a4290c98974044c6e9c67eecedb89b50efe2c472fb7be773

SHA512
5db69e1ad28fbb49b3bc0002598b017dff3c1d557fdbfbbfd94ce8d716dda07f40afb1e552a27a392968da5ee56fbc7e1ad724916377703316044055b9a0bd64

Download Submit