7ba1d4740d5a60be3f57cc948784bd385ca50083f57c062983a4e643f562d082

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Carti's tool (2)/Carti's tool/Xvirus.py
Size

8KB
MD5

d728f4aa10bb3e4cf6ab79db601c1781
SHA1

7eae1305df5f9999c49a9098315b06c48dd6e7f1
SHA256

e2ab8b41d9a64b771b9a9341a60bbe33e783afc374fd304e179ff94caa50d983
SHA512

bbc70f4e6dc1695db38dd2a69c40023b3d896f1e0451c85f088463151a4b8fc6c01b004557829aed5a01e15d4898e6808bce7bf604be80ac5bf2571f7fd59d81
SSDEEP

192:kSY6rl2ilBL73aAX39WiqhFxD33/BL4jvpZFYGlvJTs49o3pMvstijDZz6lX+x51:UxD33/BkDpZFYGlv2+o3pMvstijD5wX8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2716	AcroRd32.exe
2716	AcroRd32.exe
2716	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3024	2240	cmd.exe	29
PID 2240 wrote to memory of 3024	2240	cmd.exe	29
PID 2240 wrote to memory of 3024	2240	cmd.exe	29
PID 3024 wrote to memory of 2716	3024	rundll32.exe	30
PID 3024 wrote to memory of 2716	3024	rundll32.exe	30
PID 3024 wrote to memory of 2716	3024	rundll32.exe	30
PID 3024 wrote to memory of 2716	3024	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Carti's tool (2)\Carti's tool\Xvirus.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Carti's tool (2)\Carti's tool\Xvirus.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Carti's tool (2)\Carti's tool\Xvirus.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c781b90469087533f6dc023e8da0fca0

SHA1
259043290e4de0b00420d8aa325869043d1adb6d

SHA256
94cb36e9fc9ce64628c950bea7e499fe5c01457f410d6ddcc94b424303fc0a8a

SHA512
afce31c9e84f3f15f133e79db3c286d9fe78f0f09425ad114cf980619e98b726ad64dd1e999191c60e2b3ae6eff60a1a2af4021415658ba1f32d97a7c0ac06ce

Download Submit