Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
hola.py
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
hola.py
Resource
win10v2004-20240226-en
General
-
Target
hola.py
-
Size
1KB
-
MD5
661bea8007107987e54e2a40af02026f
-
SHA1
a52a0edabe8a39870b7d5ce028352d3c18c09889
-
SHA256
bcacc3ebe1bbb561b803f0c027dee306aec44931b7f5a10f2d2befc2243d3b0d
-
SHA512
011bb54b2ee0298897d8c2e4c291714245157b41fe6d20ab4aa262ebe1a1103d18fb0b06d538ca43f7f52e4693fcccc97bc4d3d3c6407976229a243bd99f162f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2356 wrote to memory of 2776 2356 cmd.exe rundll32.exe PID 2356 wrote to memory of 2776 2356 cmd.exe rundll32.exe PID 2356 wrote to memory of 2776 2356 cmd.exe rundll32.exe PID 2776 wrote to memory of 2704 2776 rundll32.exe AcroRd32.exe PID 2776 wrote to memory of 2704 2776 rundll32.exe AcroRd32.exe PID 2776 wrote to memory of 2704 2776 rundll32.exe AcroRd32.exe PID 2776 wrote to memory of 2704 2776 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\hola.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\hola.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hola.py"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5cbe883220f6bad071c022d3ff13c69b5
SHA1e2cd99c2dad10a9f362a0fdb09df8b43c09c881d
SHA256d76d880f9d84069e9c1a3c6eeb70474159b396c48a5f419724351a20a679eea9
SHA512b7863f92d69f2172bdb735a9f18a88a4cb2a6446c7cd735606cbf716235c26f78174cb332aa15ebb59650b9ed35fa778527947ae1f3797a9b4990c8fd21e9a39