36f71bfdcab4c661fe79122526d3ba91a4fb404a5b5763e54f1b4a4029a096a6

Resubmissions

19-11-2023 13:21

231119-qlp3waba21 10

12-10-2023 19:12

231012-xwjgeacb86 10

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
19-11-2023 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPOILER_Security.py
Size

72KB
MD5

6d11490d443c437e341aec827d8f17a0
SHA1

fc86385cdc8938754669e9d77bcf4ba53d218197
SHA256

36f71bfdcab4c661fe79122526d3ba91a4fb404a5b5763e54f1b4a4029a096a6
SHA512

a5bb03d9324cf76add812cdd89d134e39f6869b7d43eea44e54d2f4dc8b1ee1253ea5dfe6df6fbc23812530bfc9884549c8c141166e8c7be675358602f6f868e
SSDEEP

1536:Q1kWRNvnhhFSQLhmVpoWDF95YeWB6U/Jf1pge4Fsu:Q1k6hhFhhgL95Yea6adpge4Fsu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2756	AcroRd32.exe
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2720	1264	cmd.exe	29
PID 1264 wrote to memory of 2720	1264	cmd.exe	29
PID 1264 wrote to memory of 2720	1264	cmd.exe	29
PID 2720 wrote to memory of 2756	2720	rundll32.exe	30
PID 2720 wrote to memory of 2756	2720	rundll32.exe	30
PID 2720 wrote to memory of 2756	2720	rundll32.exe	30
PID 2720 wrote to memory of 2756	2720	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SPOILER_Security.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
95b9a852040d2d4ac2b8c567e915eaf8

SHA1
c15f4f267addab08c3fea081e01e4dbc707e79ca

SHA256
4b6540c5ac2f28aa49b0e9875c81f3647bdd70e34fb89c3567e0951745430770

SHA512
1b8198a6669aa4f3b2da3217241af7cdb6743983e143e24aca8b6d2361bf54ff76876f8849c0d4052b2fb5f79f2064616453520ecb833943abda894a5c6bf9fb

Download Submit