Analysis
-
max time kernel
1799s -
max time network
1569s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10-10-2023 10:22
Static task
static1
Behavioral task
behavioral1
Sample
2nd calculator.py
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2nd calculator.py
Resource
win10v2004-20230915-en
General
-
Target
2nd calculator.py
-
Size
1KB
-
MD5
7f222adf14e769558ef67ee5028335d7
-
SHA1
34db71a1801ff9f4bb6c9ce477695715db854cb0
-
SHA256
3cc45938cb4a968e922e32353d98bbfb5184d214f462dbfd34f4c1455e58fcb7
-
SHA512
60e847ecd5381ca89f864270da46ad379770fe426f6336a9335d4fbfb9f1abde4a2f9627de6b0df0a6ad0f438fc9ecee5e23f0f8ec400166ccc2235b4089102a
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3032 AcroRd32.exe 3032 AcroRd32.exe 3032 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2660 1856 cmd.exe 29 PID 1856 wrote to memory of 2660 1856 cmd.exe 29 PID 1856 wrote to memory of 2660 1856 cmd.exe 29 PID 2660 wrote to memory of 3032 2660 rundll32.exe 30 PID 2660 wrote to memory of 3032 2660 rundll32.exe 30 PID 2660 wrote to memory of 3032 2660 rundll32.exe 30 PID 2660 wrote to memory of 3032 2660 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2nd calculator.py"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2nd calculator.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2nd calculator.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD512d7a88d1e359af8d62cff869804472a
SHA1d4f41abf62b0cb45d8f15141758fac6e13744082
SHA2560ed784410d528624715f27200c31b1fcccfe06796e5624421d314358f404e2a1
SHA512a3f62538eb1ccc9c1a54fc3acf8219ce1858687d44bd33a71b76b4ef4d43dd8c614121ef2fbf8c18bdeb72b9e54e2c4616846f8af4a785adb0321bd96b50c9a6