Analysis
-
max time kernel
1566s -
max time network
1570s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
AIMr.py
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AIMr.py
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
config.py
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
config.py
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
library.py
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
library.py
Resource
win10v2004-20231222-en
General
-
Target
AIMr.py
-
Size
5KB
-
MD5
187fd9f9995b79723906edb71273dd1d
-
SHA1
2a96e13f6afe921bd59094126cc05a9afe306da8
-
SHA256
a280925c9eb08aa2d1141214d7e8ae7bb815fa8861e95d96c8d9ca7a65365094
-
SHA512
fcad6b817cf3b3741e280c16535fb409a98be7dd2e47748256d3114eaadc73ff0ee7e52d2da9f51eb03c3cce3e6c3862ccfddc007b941136b3a74afcc7501568
-
SSDEEP
48:fYfsxutzPhbSJN87exCKVThdNkqEgML5rPLgLXJSwR79JdD+3qDuRHzg5s9v+yhb:f/xutsD8qjdN5yLNebrJdDCqOvgAlf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe 2564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2164 wrote to memory of 2784 2164 cmd.exe rundll32.exe PID 2164 wrote to memory of 2784 2164 cmd.exe rundll32.exe PID 2164 wrote to memory of 2784 2164 cmd.exe rundll32.exe PID 2784 wrote to memory of 2564 2784 rundll32.exe AcroRd32.exe PID 2784 wrote to memory of 2564 2784 rundll32.exe AcroRd32.exe PID 2784 wrote to memory of 2564 2784 rundll32.exe AcroRd32.exe PID 2784 wrote to memory of 2564 2784 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AIMr.py1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AIMr.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AIMr.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD544f88d9910660f2af6bcb85dae591b60
SHA1082be8e89930d72a8c9bee6e76da4a5ec82082e2
SHA256e840cf7720ae66a1e01fcb078d74fa3dfc20b7ce55be42f4d4fb7640c96c3a62
SHA512b2b8a9ebf0a6265d4013a3a6ed92caee44bbfd9d7951efe2901813a93d838bc07c6df0348a69206506d819b2809a716bce5b092f04d151c4dc21e964320cd3b6