e6015567f25c32599b2c0cad7e3f1213ea6df23fcd04dd3876a18e33651d8a93

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20240221-de
resource tags

arch:x64arch:x86image:win7-20240221-delocale:de-deos:windows7-x64systemwindows
submitted
11-03-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZC-AIO/anycaptcha-python-main/anycaptcha/fields.py
Size

5KB
MD5

5f14bbfc3204edc040551cac2490f447
SHA1

cc5a8eaee041774e180966f9e24630baae56085e
SHA256

0d8d399fda7bbeb8567eb6b01b20f6b442cb2921be5f49da7b1bc449052aa5d1
SHA512

9473faa03f0a2607fd9cf1729cedefa5102db17993c292e4d6cc8b41d82147d2a7e1c533c7d86d3799ff53076175308863180c383742b8d3c6d8732b7282f6d0
SSDEEP

96:Bx8IqPMFjQ42oHd7YfbuKhOqNz9RAXDjt+wMZQjxTqhdNanDqEPUS:wt+DDX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	AcroRd32.exe
2556	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2740	1280	cmd.exe	29
PID 1280 wrote to memory of 2740	1280	cmd.exe	29
PID 1280 wrote to memory of 2740	1280	cmd.exe	29
PID 2740 wrote to memory of 2556	2740	rundll32.exe	30
PID 2740 wrote to memory of 2556	2740	rundll32.exe	30
PID 2740 wrote to memory of 2556	2740	rundll32.exe	30
PID 2740 wrote to memory of 2556	2740	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZC-AIO\anycaptcha-python-main\anycaptcha\fields.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ZC-AIO\anycaptcha-python-main\anycaptcha\fields.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ZC-AIO\anycaptcha-python-main\anycaptcha\fields.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0e6452e35fd4350fa46423da9b02b075

SHA1
46d470de674760581ad997bf267c1b79bf4ebff0

SHA256
ab8886b0c812430acfb017964d07a929e70d6b7a5edbea98d3bcdf79fa865160

SHA512
d4a499825ea2b258f49cd5eb826b0a24962aa68da27849bcedf45a485608463435e6926d307a0f3210d17c7e6fd1e393d3537cf4f8f2209c01d378e1a96c0146

Download Submit