e20f6cc5622d0ff337a2f87fb5b3f2b7b7aedc4cdd07018c27b38f4cb75b0db8

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dionysus-2.0.10/bindings/python/pybind11/tools/FindPythonLibsNew.cmake
Size

10KB
MD5

6b8f9b614b681d8ed4f4ac40edce5ccd
SHA1

4d382442d025a1a8c5e597fc43ad3b928d0a4408
SHA256

d5d10c3944318fec534339502c1057313e034d270d245aae3901805a225ac020
SHA512

2d0e8baa0b156a54578361831ca85010d5f5c156f62535f095f2ac0b053ee766993b654272760aadf7d45b535a12df2c7fcbc3f74fc4e7a5ca2d3a6e1c897529
SSDEEP

192:uMDtD1rsxrsGE353qmmekpOx0LduQAtAPVCkDPSnAbq3Rt6c4ON+3Zta7KapEXxx:ueLrsxrsG2pqAC2YbPSnAO6QQWE

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.cmake	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.cmake\ = "cmake_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmake_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2932	AcroRd32.exe
2932	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2832	2788	cmd.exe	29
PID 2788 wrote to memory of 2832	2788	cmd.exe	29
PID 2788 wrote to memory of 2832	2788	cmd.exe	29
PID 2832 wrote to memory of 2932	2832	rundll32.exe	30
PID 2832 wrote to memory of 2932	2832	rundll32.exe	30
PID 2832 wrote to memory of 2932	2832	rundll32.exe	30
PID 2832 wrote to memory of 2932	2832	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\dionysus-2.0.10\bindings\python\pybind11\tools\FindPythonLibsNew.cmake
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dionysus-2.0.10\bindings\python\pybind11\tools\FindPythonLibsNew.cmake
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dionysus-2.0.10\bindings\python\pybind11\tools\FindPythonLibsNew.cmake"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c5e88d2d01cac10e5d1f5e54bc3b3256

SHA1
87249d187f9d15f73c4b7f5454b4ec402c977337

SHA256
39c6e0b76a75ac4cc76ac92fd49f6c1baa6d2eaea3ef58cc87f88ea1c0d3a161

SHA512
925ed2211b492fcac79602d8931da959dc1676517675630ca9b16f1095cd87cfdad4f1bdef71e5ad88c0b9e52da01ea6e54d5727c668174c8fe9b68c0a1d8a37

Download Submit