aac5cc5741fd23c7405bb29800d9f5aae18a27592570a80a6d8db5f04a777812

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pet-Simulator-99-Pet-Duplicator-main/config.py
Size

187B
MD5

9124be51a4b41f00e7c84bea177ba9bd
SHA1

aaf5fad3a2f6515d740971df2358ad8bf94093bb
SHA256

807960a85e9670f11eb6d9fabff736cf47e0d848b5c7e6edeeb3619c44f8bf95
SHA512

66b6dd2c404da3c4435be09351f05a2baddde25ab7accb2fd8c5fed24b61567085c9ecdbc7416bafd44e27182d9a80ebb2a3ead0e18e381c4336660f99ffa2db

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	AcroRd32.exe
2980	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2596	1936	cmd.exe	17
PID 1936 wrote to memory of 2596	1936	cmd.exe	17
PID 1936 wrote to memory of 2596	1936	cmd.exe	17
PID 2596 wrote to memory of 2980	2596	rundll32.exe	30
PID 2596 wrote to memory of 2980	2596	rundll32.exe	30
PID 2596 wrote to memory of 2980	2596	rundll32.exe	30
PID 2596 wrote to memory of 2980	2596	rundll32.exe	30

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pet-Simulator-99-Pet-Duplicator-main\config.py
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pet-Simulator-99-Pet-Duplicator-main\config.py"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2980

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pet-Simulator-99-Pet-Duplicator-main\config.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3e6a675d5ec4db65c9ef2098c3c8ba28

SHA1
d2838c0df1e3b599ab0252a74e79c24fd874d17f

SHA256
367f5e527dcd2fa981395f5cc69ab8f83030f27b64e4ecc464cd79d894dd67e8

SHA512
05bd1b6286039fe9990f94cf41a3b978cbb67e813e90e690c32cdc63c217bf4d885f8df600362e1feac1b02e39c087ccf723eaecf314f9432ac88c90fc02b22e

Download Submit