Overview

overview

7

Static

static

3

sync-tool-...nt.exe

windows7-x64

7

sync-tool-...nt.exe

windows10-2004-x64

7

sync-client.pyc

windows7-x64

3

sync-client.pyc

windows10-2004-x64

3

sync-tool-...er.exe

windows7-x64

7

sync-tool-...er.exe

windows10-2004-x64

7

sync-server.pyc

windows7-x64

3

sync-server.pyc

windows10-2004-x64

3

sync-tool-...ent.py

windows7-x64

3

sync-tool-...ent.py

windows10-2004-x64

3

sync-tool-...ver.py

windows7-x64

3

sync-tool-...ver.py

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sync-tool-main/sync-server.py

  • Size

    3KB

  • MD5

    916ddf110ffb40202e43dcb4d21cb295

  • SHA1

    6fcdb5771f578b9bddc9e6df63fa4375b23d0633

  • SHA256

    1a5f160f4c103a980d58ded2ee1a89b30df904f14e3bb99d120f609c9e484cd0

  • SHA512

    9f34aafd5f0a84b7dfc21093ddb9644e5f5d8fd19a91a7058557ffc4145e26bab8fee6e78c58159447968a83a3af98967f997360e6f35a458ee7af0b7448b70b

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\sync-tool-main\sync-server.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sync-tool-main\sync-server.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sync-tool-main\sync-server.py"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    6e3dbcc5de0126326b834ab6d527dff7

    SHA1

    068e1ef34709f996a7eb3d646b6e1bd5e616952f

    SHA256

    f157e0137ffe43df1543060820e2955d89a1a70d996fbefc9fb8f359d93ad545

    SHA512

    02f8787db2bdda55c9e420e00d83f1f14c63054e5f9f01e7573c0c57c5938cee2f684b945e698121f51fbab2d214769a1262c8182f4f53d5dd6984b5dad2aafa

    Download Submit