bcacc3ebe1bbb561b803f0c027dee306aec44931b7f5a10f2d2befc2243d3b0d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hola.py
Size

1KB
MD5

661bea8007107987e54e2a40af02026f
SHA1

a52a0edabe8a39870b7d5ce028352d3c18c09889
SHA256

bcacc3ebe1bbb561b803f0c027dee306aec44931b7f5a10f2d2befc2243d3b0d
SHA512

011bb54b2ee0298897d8c2e4c291714245157b41fe6d20ab4aa262ebe1a1103d18fb0b06d538ca43f7f52e4693fcccc97bc4d3d3c6407976229a243bd99f162f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2704 AcroRd32.exe
2704 AcroRd32.exe

pid	process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2356 wrote to memory of 2776	2356	cmd.exe	rundll32.exe
PID 2356 wrote to memory of 2776	2356	cmd.exe	rundll32.exe
PID 2356 wrote to memory of 2776	2356	cmd.exe	rundll32.exe
PID 2776 wrote to memory of 2704	2776	rundll32.exe	AcroRd32.exe
PID 2776 wrote to memory of 2704	2776	rundll32.exe	AcroRd32.exe
PID 2776 wrote to memory of 2704	2776	rundll32.exe	AcroRd32.exe
PID 2776 wrote to memory of 2704	2776	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hola.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\hola.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hola.py"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2704

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
cbe883220f6bad071c022d3ff13c69b5

SHA1
e2cd99c2dad10a9f362a0fdb09df8b43c09c881d

SHA256
d76d880f9d84069e9c1a3c6eeb70474159b396c48a5f419724351a20a679eea9

SHA512
b7863f92d69f2172bdb735a9f18a88a4cb2a6446c7cd735606cbf716235c26f78174cb332aa15ebb59650b9ed35fa778527947ae1f3797a9b4990c8fd21e9a39

Download Submit