e746f10a245a5cb3d8bf010dfa30e7de6430e1f248e88d9acbb88596d01c53be

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chimera-1.4/modules/launch_module.py
Size

602B
MD5

4cfe13783e49f51dfcd5debe8890b4cf
SHA1

5def065390b375727e10a36ad449acd109c9ce02
SHA256

e8d68dd9317a905efc4e22e8678d9ecb118cd0fee30608ee5fe37629ed1af97d
SHA512

2a23256cb20fd14041fad0a178dc309d3172c480ca7bc84c16e5ff5cb7086b590ec21953ab9be0356f0c8a32b9b592d6b7cd21f86381a9a44c528f20ecde90c6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2948	AcroRd32.exe
2948	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2644	2228	cmd.exe	29
PID 2228 wrote to memory of 2644	2228	cmd.exe	29
PID 2228 wrote to memory of 2644	2228	cmd.exe	29
PID 2644 wrote to memory of 2948	2644	rundll32.exe	30
PID 2644 wrote to memory of 2948	2644	rundll32.exe	30
PID 2644 wrote to memory of 2948	2644	rundll32.exe	30
PID 2644 wrote to memory of 2948	2644	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Chimera-1.4\modules\launch_module.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Chimera-1.4\modules\launch_module.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Chimera-1.4\modules\launch_module.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5d39c4c38264de34db6ffc86d5f761f1

SHA1
7317b4d5a6921fcbf52b11369e440510464970e5

SHA256
1c0a872458d23e212aa59b48d4ca853fc81c7a48610fc01e6edbc684397e985b

SHA512
918f7a2a6f870593d0b914f17a19384659d1ac3bd38e12c98fd3cc5c48bc05a1ccd8dd5fbb3ac359b34f207e8af5b80405c5016ce5c8255dedc39b43ee8d0a58

Download Submit