Analysis
-
max time kernel
1560s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
AIMr.py
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AIMr.py
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
config.py
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
config.py
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
library.py
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
library.py
Resource
win10v2004-20231222-en
General
-
Target
config.py
-
Size
9KB
-
MD5
4c88e2b85d53c53f54b962666eb2f44f
-
SHA1
f1792b4164d77ae7f89109fa3a3a5748f71d40f5
-
SHA256
dc18f7eb9bcf4ed24e04b54ab233208a58dc663809127f6d066b750768944824
-
SHA512
fe4cbf815394f9f451ca139133968c74069de7b6e46537606e6e110010451086cd28399801aa0965dfab777cbe4dad4b5b84addc12576d247e995a55bc3a34c9
-
SSDEEP
192:SM+aKwXjmPCipAWRW7dNSqdTTiuaqGdZG0gfZG00ryiG0I1uTAth:bXjtOWJ1b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 860 wrote to memory of 2844 860 cmd.exe rundll32.exe PID 860 wrote to memory of 2844 860 cmd.exe rundll32.exe PID 860 wrote to memory of 2844 860 cmd.exe rundll32.exe PID 2844 wrote to memory of 2720 2844 rundll32.exe AcroRd32.exe PID 2844 wrote to memory of 2720 2844 rundll32.exe AcroRd32.exe PID 2844 wrote to memory of 2720 2844 rundll32.exe AcroRd32.exe PID 2844 wrote to memory of 2720 2844 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\config.py1⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\config.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\config.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53500218df365f3f1c94b79fa9446e79b
SHA1b4e09ce380ccd537ff94122e2cdef6329fa6989a
SHA2566ab578d479a2a47cd9d5c9a27473f156208279f72b66503120fde122f116c3f7
SHA512c3bf59024dd7e244de5943be8fef4203141476bb71e94dd5b68b4c11ef1035b1230c3bc686af142dcf71f9fcc8fae20dde6d891b6ee3a7c01aa5eee4e6dae6cc