a73f041afa6413f0fd67e9672bc4b956c9be1ca2f4de3bcf6455d5e0d3c67b89

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cryptic tool/util/10_AccountDisabler/accountdisabler.py
Size

1KB
MD5

15ebdec1dd0fc82b2a997c2cec693d7f
SHA1

e1a6c5d4578f4585c796dfaa431d5f9863e44d2a
SHA256

5eaa6e450d71ead0815622f9fc09a4a38c5b344daec1f1f8903fb123c588256b
SHA512

a31a28fd4848074b58521c6afbb962b8352b5dfdfb00a03b3b7ca3ebde67627480781d9a0fe293cba416ae212aede38bb4c2180847cbbe0b97e04daad5481bb1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	AcroRd32.exe
2572	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2612	2548	cmd.exe	29
PID 2548 wrote to memory of 2612	2548	cmd.exe	29
PID 2548 wrote to memory of 2612	2548	cmd.exe	29
PID 2612 wrote to memory of 2572	2612	rundll32.exe	30
PID 2612 wrote to memory of 2572	2612	rundll32.exe	30
PID 2612 wrote to memory of 2572	2612	rundll32.exe	30
PID 2612 wrote to memory of 2572	2612	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cryptic tool\util\10_AccountDisabler\accountdisabler.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cryptic tool\util\10_AccountDisabler\accountdisabler.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cryptic tool\util\10_AccountDisabler\accountdisabler.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
56a9a3773bb5be5eebd72cbf421786c5

SHA1
bcbecae2a89f70a283a3af2e2a9fece5f9bbbe40

SHA256
15097d8ea021a9f8dca0b35213ebfa454252e687447504b649dc7363ca7d595a

SHA512
f10d6e62189fc715d19a7f344379180e9eb118aa4422471f08d87153f6aa6d055d074182a9f29121e3e44737265e223de7a8b1fd0a1448503be5e41fdfa9aec6

Download Submit