Overview
overview
8Static
static
8ExeFilter-...eur.py
linux_amd64
ExeFilter-...eur.py
linux_armhf
ExeFilter-...eur.py
linux_mips
ExeFilter-...eur.py
linux_mipsel
ExeFilter-...ier.py
linux_amd64
ExeFilter-...ier.py
linux_armhf
ExeFilter-...ier.py
linux_mips
ExeFilter-...ier.py
linux_mipsel
ExeFilter-...ire.py
linux_amd64
ExeFilter-...ire.py
linux_armhf
ExeFilter-...ire.py
linux_mips
ExeFilter-...ire.py
linux_mipsel
ExeFilter-...Zip.py
linux_amd64
ExeFilter-...Zip.py
linux_armhf
ExeFilter-...Zip.py
linux_mips
ExeFilter-...Zip.py
linux_mipsel
ExeFilter-...MO.bat
windows7_x64
3ExeFilter-...MO.bat
windows10-2004_x64
3ExeFilter-...ter.py
linux_amd64
ExeFilter-...ter.py
linux_armhf
ExeFilter-...ter.py
linux_mips
ExeFilter-...ter.py
linux_mipsel
ExeFilter-...EN.pdf
windows7_x64
1ExeFilter-...EN.pdf
windows10-2004_x64
1ExeFilter-...FR.pdf
windows7_x64
1ExeFilter-...FR.pdf
windows10-2004_x64
1ExeFilter-...ier.py
linux_amd64
ExeFilter-...ier.py
linux_armhf
ExeFilter-...ier.py
linux_mips
ExeFilter-...ier.py
linux_mipsel
ExeFilter-...tre.py
linux_amd64
ExeFilter-...tre.py
linux_armhf
Analysis
-
max time kernel
4294223s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
14-04-2022 13:58
Behavioral task
behavioral1
Sample
ExeFilter-1.1.2-alpha3/Conteneur.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
ExeFilter-1.1.2-alpha3/Conteneur.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
ExeFilter-1.1.2-alpha3/Conteneur.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
ExeFilter-1.1.2-alpha3/Conteneur.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral5
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Fichier.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral6
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Fichier.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral7
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Fichier.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral8
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Fichier.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral9
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Repertoire.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral10
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Repertoire.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral11
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Repertoire.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral12
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Repertoire.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral13
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Zip.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral14
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Zip.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral15
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Zip.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral16
Sample
ExeFilter-1.1.2-alpha3/Conteneur_Zip.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral17
Sample
ExeFilter-1.1.2-alpha3/DEMO.bat
Resource
win7-20220310-en
Behavioral task
behavioral18
Sample
ExeFilter-1.1.2-alpha3/DEMO.bat
Resource
win10v2004-en-20220113
Behavioral task
behavioral19
Sample
ExeFilter-1.1.2-alpha3/ExeFilter.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral20
Sample
ExeFilter-1.1.2-alpha3/ExeFilter.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral21
Sample
ExeFilter-1.1.2-alpha3/ExeFilter.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral22
Sample
ExeFilter-1.1.2-alpha3/ExeFilter.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral23
Sample
ExeFilter-1.1.2-alpha3/ExeFilter_documentation_EN.pdf
Resource
win7-20220310-en
Behavioral task
behavioral24
Sample
ExeFilter-1.1.2-alpha3/ExeFilter_documentation_EN.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral25
Sample
ExeFilter-1.1.2-alpha3/ExeFilter_documentation_FR.pdf
Resource
win7-20220310-en
Behavioral task
behavioral26
Sample
ExeFilter-1.1.2-alpha3/ExeFilter_documentation_FR.pdf
Resource
win10v2004-20220331-en
Behavioral task
behavioral27
Sample
ExeFilter-1.1.2-alpha3/Fichier.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral28
Sample
ExeFilter-1.1.2-alpha3/Fichier.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral29
Sample
ExeFilter-1.1.2-alpha3/Fichier.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral30
Sample
ExeFilter-1.1.2-alpha3/Fichier.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral31
Sample
ExeFilter-1.1.2-alpha3/Filtres/Filtre.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral32
Sample
ExeFilter-1.1.2-alpha3/Filtres/Filtre.py
Resource
debian9-armhf-en-20211208
General
-
Target
ExeFilter-1.1.2-alpha3/DEMO.bat
-
Size
40B
-
MD5
2b34480d75ba452ce0d826d75bcce5f9
-
SHA1
2c0c0daeb77eea418091fd0b55a9fb1cce30b117
-
SHA256
f46514b4b88e3af161019ab12d009f2b81a5e7c4234049e0e5b5cf70eccc7258
-
SHA512
737451a9cf516e596ed8841c759ea7dae3f54f36c639c9e169856a3f7823df82bf8265aaefe6cf371d3aff0446c6191fb188f7f67dd8d54bb761338c4b58a0a8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 584 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 584 AcroRd32.exe 584 AcroRd32.exe 584 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1920 wrote to memory of 1004 1920 cmd.exe rundll32.exe PID 1920 wrote to memory of 1004 1920 cmd.exe rundll32.exe PID 1920 wrote to memory of 1004 1920 cmd.exe rundll32.exe PID 1004 wrote to memory of 584 1004 rundll32.exe AcroRd32.exe PID 1004 wrote to memory of 584 1004 rundll32.exe AcroRd32.exe PID 1004 wrote to memory of 584 1004 rundll32.exe AcroRd32.exe PID 1004 wrote to memory of 584 1004 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ExeFilter-1.1.2-alpha3\DEMO.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ExeFilter-1.1.2-alpha3\ExeFilter.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExeFilter-1.1.2-alpha3\ExeFilter.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx