Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 14:08
Static task
static1
Behavioral task
behavioral1
Sample
test_journal.py
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
test_journal.py
Resource
win10v2004-20240412-en
General
-
Target
test_journal.py
-
Size
10KB
-
MD5
fb08be2b60bcd116c37e011eef57692c
-
SHA1
d6dd2cb3eeef49b24b8086cd8a7cfbcfbe02d2fa
-
SHA256
a36f00b50f335c0b974084a92704d0472ec971455973de64b36324fc7cdd3a87
-
SHA512
ae552d12b78cb6c340c62a696593af8409746d43c760cfa77f1723414bc7365429620d0cb8c4e41c26484334826aa3f84f26b930c048081bf4c1c66a1d1b9e5a
-
SSDEEP
192:zPKteSTJ1BEnT3lBM26ZfM+kWBS7fxcUELzWgpDZWRpDmYi2gpTAYi5gpLIs32hQ:zPKtbkW87Z90qgpDERpDq2gpTs5gpLIc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2552 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2552 AcroRd32.exe 2552 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2724 wrote to memory of 2548 2724 cmd.exe rundll32.exe PID 2724 wrote to memory of 2548 2724 cmd.exe rundll32.exe PID 2724 wrote to memory of 2548 2724 cmd.exe rundll32.exe PID 2548 wrote to memory of 2552 2548 rundll32.exe AcroRd32.exe PID 2548 wrote to memory of 2552 2548 rundll32.exe AcroRd32.exe PID 2548 wrote to memory of 2552 2548 rundll32.exe AcroRd32.exe PID 2548 wrote to memory of 2552 2548 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\test_journal.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\test_journal.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\test_journal.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD514042101e8d4ef6f3359ca1731899899
SHA10e2c2c2cbbef774ff799c62d712f8b7be7a2c16e
SHA2561c8778f84074a6a723e25c180c5fc67a7cde0d4eb27eb8cc7714dc4eaa38e2a3
SHA512bfa4af192b87ea7a50a1c1c3bdd37ca906b440b9aeb7035f67095ee8930a4296f918584551bb18c6673f8500636cce59264321d7c0f521eb611a01c084a02ab7