7fc4baee5b7ba4c7e97e9d0842327a67cdcaf862dc86ac3a81d890e807d6cb8b

Resubmissions

19-09-2023 23:36

230919-3lkvdaee37 10

17-09-2023 11:49

230917-nzbrasab4v 10

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-09-2023 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPOILER_Security.py
Size

72KB
MD5

981e9429debd8dfcd7fb51db2cd2a641
SHA1

6e18429b493134edae93a8269ab1f3e6b14cc4b8
SHA256

7fc4baee5b7ba4c7e97e9d0842327a67cdcaf862dc86ac3a81d890e807d6cb8b
SHA512

69e512ecc15ccb614ff1834dfdbcc46170ac55f74dc353b2e4e2aed61590881c2d85238d09e1f53c030b4eed7aa4de743fee6904a4970edd4844d11964d333d7
SSDEEP

1536:Q1kWRdnhhFSQLhmVpoWDF95YeWB6U/Jf1pge4Fsu:Q1kyhhFhhgL95Yea6adpge4Fsu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2740	AcroRd32.exe
2740	AcroRd32.exe
2740	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2720	3044	cmd.exe	29
PID 3044 wrote to memory of 2720	3044	cmd.exe	29
PID 3044 wrote to memory of 2720	3044	cmd.exe	29
PID 2720 wrote to memory of 2740	2720	rundll32.exe	30
PID 2720 wrote to memory of 2740	2720	rundll32.exe	30
PID 2720 wrote to memory of 2740	2720	rundll32.exe	30
PID 2720 wrote to memory of 2740	2720	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
29f0cd849f981eb129e2c8b367490182

SHA1
fe8ca1b6cc13dd6f898a62b137ac2df5c004f12a

SHA256
1107120482f741f53d0e9a99752bf03e1c3d5fc205c41daf64845310afd00a3d

SHA512
59b86dee82d9c320ca0de7bf96fa8836cbd7a02be7cd3599af5ef85f25f7db7b189127116fd4d127bf5c8c850c76adb9a7ab5d4d77ba199bc7397985e1c9f9de

Download Submit