Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
info.py
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
info.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
kam.py
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
kam.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
time.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
time.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
update.py
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
update.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
upload.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
upload.py
Resource
win10v2004-20240426-en
General
-
Target
kam.py
-
Size
436KB
-
MD5
b690f8484608d37e6be1b56f6c35e884
-
SHA1
36225ab9b213dbef29fcc30d6655d5f03974dc10
-
SHA256
3754b99649942110d10dfdeb03989123f02263547577b3ae844b1da2f60d9e81
-
SHA512
cf7e2284a5b18975783639fb33bab4302230613632f8194e44fe505cccc5c5a26ea0b575bfb9ab81dba2d8c9822dc76e99abba685f81b9bdedee0261e00cc43d
-
SSDEEP
12288:ccxcY8r7uqKhRyu/U0o6e4YhYKJbr3Dt51sO:c4cY8uqKhRyCP1LEY2r3rqO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe 2612 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1792 wrote to memory of 2240 1792 cmd.exe rundll32.exe PID 1792 wrote to memory of 2240 1792 cmd.exe rundll32.exe PID 1792 wrote to memory of 2240 1792 cmd.exe rundll32.exe PID 2240 wrote to memory of 2612 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2612 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2612 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2612 2240 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\kam.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\kam.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kam.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5c0d4724d527fe0d4557cac2ef7179303
SHA183b8fe0f46b38b7f3a7d7c82407a39122842f00e
SHA256dd0e89ef5c6e6595400ca6ec14f9f3e3a4a8539c27090060a8fdf0e86ebcc4ea
SHA5122f784ae99e2f4857e9285e799ea0c06a15fdbdfdb5a5a57de05dfd7fe712ee581b10328864bc053c6817beb1772c05d8239a8103ff26cb399da4e9ab4018dd3c