957121efe0855560b01c0bccd3db912f2902edbc77270e2ab2367b087a181e7c

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Python-1.5.2/Demo/cwilib/cwilib.py
Size

6KB
MD5

f35c5b53909bd84e8a2f31ad66cdcab5
SHA1

f8a4d43a9b646f1b4f86e9f8df73d944d5c30a43
SHA256

bb2afd898c20407573a7e4c8281ce6a321b63da1fd1a9e52f00ad43f957cd2b9
SHA512

4ab0c8ea31c11725261860d78b43a49bae818d0550387c567e2738cb7264036b21bdb8a719cb202ab9822747bc68854cb6e653a4ee17c71dc98c6358673a28b9
SSDEEP

96:f0AMUaB/XaSi/1sVeCMZMBSMv6xHcTTt858BctXRP8xP85P8Z:f0Amwik2vvek44Wm

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2948	AcroRd32.exe
2948	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2808	2748	cmd.exe	29
PID 2748 wrote to memory of 2808	2748	cmd.exe	29
PID 2748 wrote to memory of 2808	2748	cmd.exe	29
PID 2808 wrote to memory of 2948	2808	rundll32.exe	30
PID 2808 wrote to memory of 2948	2808	rundll32.exe	30
PID 2808 wrote to memory of 2948	2808	rundll32.exe	30
PID 2808 wrote to memory of 2948	2808	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Python-1.5.2\Demo\cwilib\cwilib.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Python-1.5.2\Demo\cwilib\cwilib.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Python-1.5.2\Demo\cwilib\cwilib.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e3ef9bd5f95a25b9cc94db9de6f4c958

SHA1
66787dfaeb35be163bfe5dd49f395bb1b033d9ef

SHA256
0aa35905b2e13aa0ebd5f145fd29a395a32e0a621c93c90063fa5c7d11279714

SHA512
25f554d9fef9292c65f41216b16d3128826112bddd0bb2bf7c25b4bbaed3796212b030880735437511d036f92bd093f266cae6e626a3f6f687124d821ba5a82b

Download Submit