604d2a693634ed16a6d84f446ca7d208408f57e87ec30f35a577c27e2cc542f7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

micify-stealer-main4.21/micify-stealer-main/Waltuhium.py
Size

142KB
MD5

a68c266b695985a653e227a9db3f0cc3
SHA1

cab667616ad48f7ff006334083fc8ce70fd98a58
SHA256

6c8fbec69a8d070cb00f253fc9886e620034733038b2307779b2026559d3fa0b
SHA512

9d958551dfcecd763c3c8e98273c06db76248547c4774ec90188bff0ac4779582c1228735663b9503f2e7058cb60743344bc1c85d26d0cfe45df6338755c6928
SSDEEP

1536:eiYj57SAiFZjpKNrwne+HAz6v5QnsOkZdaC12JNsLqDhC/+0M/K6U5ftN:87JWGwFgZ6daC2JNs+C/+fyVN

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2684 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2684 AcroRd32.exe
2684 AcroRd32.exe

pid	process
2684	AcroRd32.exe

pid	process
2684	AcroRd32.exe
2684	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1044 wrote to memory of 3056	1044	cmd.exe	rundll32.exe
PID 1044 wrote to memory of 3056	1044	cmd.exe	rundll32.exe
PID 1044 wrote to memory of 3056	1044	cmd.exe	rundll32.exe
PID 3056 wrote to memory of 2684	3056	rundll32.exe	AcroRd32.exe
PID 3056 wrote to memory of 2684	3056	rundll32.exe	AcroRd32.exe
PID 3056 wrote to memory of 2684	3056	rundll32.exe	AcroRd32.exe
PID 3056 wrote to memory of 2684	3056	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\micify-stealer-main4.21\micify-stealer-main\Waltuhium.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\micify-stealer-main4.21\micify-stealer-main\Waltuhium.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\micify-stealer-main4.21\micify-stealer-main\Waltuhium.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2684

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
43554786e51a4c02dc81f077433eecc1

SHA1
f8c77ba60897730b0845629d4794219a183ebf52

SHA256
fab3b2316f92df9ad3e27ca075c3a7d638282661e3cc680ea720c0b01146b5eb

SHA512
b11bfaebdca43d6ffde102d43716f35eebca66b986970118314fe3e69d5d9e087d187e6753a2f515b4d7de6be7e88dffdaa3f1c83878ed74717b76fc061848f3

Download Submit