4c45066d402b9a63075d95d67f4fa66112956fb04819019d16a7363a0fa87b2a

Analysis

max time kernel
1560s
max time network
1562s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

config.py
Size

9KB
MD5

4c88e2b85d53c53f54b962666eb2f44f
SHA1

f1792b4164d77ae7f89109fa3a3a5748f71d40f5
SHA256

dc18f7eb9bcf4ed24e04b54ab233208a58dc663809127f6d066b750768944824
SHA512

fe4cbf815394f9f451ca139133968c74069de7b6e46537606e6e110010451086cd28399801aa0965dfab777cbe4dad4b5b84addc12576d247e995a55bc3a34c9
SSDEEP

192:SM+aKwXjmPCipAWRW7dNSqdTTiuaqGdZG0gfZG00ryiG0I1uTAth:bXjtOWJ1b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\py_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2720 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2720 AcroRd32.exe
2720 AcroRd32.exe

pid	process
2720	AcroRd32.exe

pid	process
2720	AcroRd32.exe
2720	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 860 wrote to memory of 2844	860	cmd.exe	rundll32.exe
PID 860 wrote to memory of 2844	860	cmd.exe	rundll32.exe
PID 860 wrote to memory of 2844	860	cmd.exe	rundll32.exe
PID 2844 wrote to memory of 2720	2844	rundll32.exe	AcroRd32.exe
PID 2844 wrote to memory of 2720	2844	rundll32.exe	AcroRd32.exe
PID 2844 wrote to memory of 2720	2844	rundll32.exe	AcroRd32.exe
PID 2844 wrote to memory of 2720	2844	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\config.py
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\config.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\config.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3500218df365f3f1c94b79fa9446e79b

SHA1
b4e09ce380ccd537ff94122e2cdef6329fa6989a

SHA256
6ab578d479a2a47cd9d5c9a27473f156208279f72b66503120fde122f116c3f7

SHA512
c3bf59024dd7e244de5943be8fef4203141476bb71e94dd5b68b4c11ef1035b1230c3bc686af142dcf71f9fcc8fae20dde6d891b6ee3a7c01aa5eee4e6dae6cc

Download Submit