Overview
overview
3Static
static
1CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...sample
windows7-x64
3CVE-2023-3...oit.py
windows7-x64
3CVE-2023-3...pt.bat
windows7-x64
1Analysis
-
max time kernel
43s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
CVE-2023-38831/.git/hooks/applypatch-msg.sample
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
CVE-2023-38831/.git/hooks/commit-msg.sample
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
CVE-2023-38831/.git/hooks/fsmonitor-watchman.sample
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
CVE-2023-38831/.git/hooks/post-update.sample
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
CVE-2023-38831/.git/hooks/pre-applypatch.sample
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
CVE-2023-38831/.git/hooks/pre-commit.sample
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
CVE-2023-38831/.git/hooks/pre-merge-commit.sample
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
CVE-2023-38831/.git/hooks/pre-push.sample
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
CVE-2023-38831/.git/hooks/pre-rebase.sample
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
CVE-2023-38831/.git/hooks/pre-receive.sample
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
CVE-2023-38831/.git/hooks/prepare-commit-msg.sample
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
CVE-2023-38831/.git/hooks/push-to-checkout.sample
Resource
win7-20240419-en
Behavioral task
behavioral13
Sample
CVE-2023-38831/.git/hooks/update.sample
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
CVE-2023-38831/exploit.py
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
CVE-2023-38831/script.bat
Resource
win7-20240220-en
General
-
Target
CVE-2023-38831/exploit.py
-
Size
1KB
-
MD5
f04c728b8304521ee88ccea1bb8ddd54
-
SHA1
27ce9463a35d9fb4c3d11a1b56c7d4bbcda37e83
-
SHA256
2345ee5f0641c8fe1e0eff9b684336e65fdafb9b6ef5b21f343a04980e7e40bf
-
SHA512
22ef36af6717bd89b6541a0c1411106923095b620023e9b4ea999986bf4da3fe4098fc3341d6c64e7d42f4039f5eb77fa0da128eac4d1a813bd19694956c1a52
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2444 AcroRd32.exe 2444 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3024 wrote to memory of 2580 3024 cmd.exe rundll32.exe PID 3024 wrote to memory of 2580 3024 cmd.exe rundll32.exe PID 3024 wrote to memory of 2580 3024 cmd.exe rundll32.exe PID 2580 wrote to memory of 2444 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2444 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2444 2580 rundll32.exe AcroRd32.exe PID 2580 wrote to memory of 2444 2580 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\exploit.py1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\exploit.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\exploit.py"3⤵
- Suspicious use of SetWindowsHookEx
PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD55a36837fb2ce8e0f176e99b246d0a2df
SHA1e934d2ef81a22e67996d3107f56483719116723e
SHA25637c3761a5c12e996b866f6a02ee841f22b73daa980c2c68f6c329f67cec5da67
SHA512e2f036e50fb75304e5c82c84196badac74c9d7597d7062e5c9f081a157dacf70a3c5fa2440ad53c5f98be9a5ff4ef9d52168a1c357945032beedef1febd41e18