Analysis
-
max time kernel
255s -
max time network
225s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
4.py
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4.py
Resource
macos-20231201-en
Behavioral task
behavioral3
Sample
4.py
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral4
Sample
4.py
Resource
debian9-armhf-20231222-en
Behavioral task
behavioral5
Sample
4.py
Resource
debian9-mipsbe-20231221-en
Behavioral task
behavioral6
Sample
4.py
Resource
debian9-mipsel-20231215-en
General
-
Target
4.py
-
Size
5KB
-
MD5
b9cdac3f9cb33324f0f0a423f60abeb3
-
SHA1
ad6fd136f40a2c76367f594ffbbd002db963206a
-
SHA256
8005aeec19f9465dc8827dce6d0ac8c8edcc25ce64bd7b351c45813efd964430
-
SHA512
dfca5d102db01d3363ff7d31869b5b1f1ed14b2f06e76a6629fbcac00b1dd4dfa76aef56c33cf6b937e487324d366b3527d5bdc59730a44236084638a176f7d4
-
SSDEEP
96:5S6XkwVafqhi8FIHzKLshSi/ffb8ulXfFj7Ef/Hms7evZxCX:5S6jVaci8FIHzKLsz8gp8ye
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
AcroRd32.exeAcroRd32.exeAcroRd32.exepid process 1740 AcroRd32.exe 1372 AcroRd32.exe 2884 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 2152 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2152 AUDIODG.EXE Token: 33 2152 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2152 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exeAcroRd32.exepid process 2720 AcroRd32.exe 2720 AcroRd32.exe 2720 AcroRd32.exe 2884 AcroRd32.exe 2884 AcroRd32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
cmd.exerundll32.execmd.exedescription pid process target process PID 2652 wrote to memory of 2680 2652 cmd.exe rundll32.exe PID 2652 wrote to memory of 2680 2652 cmd.exe rundll32.exe PID 2652 wrote to memory of 2680 2652 cmd.exe rundll32.exe PID 2680 wrote to memory of 2720 2680 rundll32.exe AcroRd32.exe PID 2680 wrote to memory of 2720 2680 rundll32.exe AcroRd32.exe PID 2680 wrote to memory of 2720 2680 rundll32.exe AcroRd32.exe PID 2680 wrote to memory of 2720 2680 rundll32.exe AcroRd32.exe PID 604 wrote to memory of 1740 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1740 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1740 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1740 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1372 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1372 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1372 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 1372 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 2884 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 2884 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 2884 604 cmd.exe AcroRd32.exe PID 604 wrote to memory of 2884 604 cmd.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\4.py1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:500
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1740 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4.py"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1372 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "F:\4.py"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2884
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x55c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "F:\4.py"1⤵PID:320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51a7003e986e72c933d86dc3af3c03432
SHA13eaf12d546b785f478b486ab068f2790e44e233f
SHA256e50181da8f6f75a5ac32af2599db35b6327af2868e3c979c6ae39fb86f033926
SHA512ba1dae9876b8f62a2cc5f59c6a46408323040cd9b9acf54be385e930ca92db3f86b09c4dfdb0cf8e087e8bb3d5fb2c0e931032bea03f7b4c9ff09e9b376cd5a5
-
Filesize
70KB
MD58a4ac03151d32a8b50a8a9de78bc2e30
SHA1cc50ef0acdc93dd1e6a74de1ce463906e74b5a8c
SHA256723959d317a8cf3d06eb8a62ba288a7d1032f00fbecff540b56f0b72555b97e5
SHA5125f7b726e05fb2fcf2a4f3422925fdf850b27e9fa5a331981059f19fa4a55f133a4d7904f14d0147dd873a918bb607a5da34ce0aef652ed197170de0efb8cac2b