502b2bfc63c501480abe0209a1ad8889fba1903571d92da7b57990e2eee8b672

Analysis

max time kernel
1561s
max time network
1565s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GANG-Nuker/utilities/Settings/update.py
Size

5KB
MD5

4bf2fc54a6ae687c63d7fbe7af60c08e
SHA1

25cd8319ded225a40b633156b70f0849ab44b43d
SHA256

4272ea902df70571c3d862a50258604b65907fa68fed8b5b607b204763759774
SHA512

23d188285954c5f222be7d850c3b9d86b8bf47848f3d89f79ef89ab33cafa739d6cf1d5156dbfb4a8a979c45425abc8a24dd5b1f91dc128b53fa164e64b97e18
SSDEEP

48:gih832plNYwHFYhYAzX1Ra7VThRDkib1XKm+tiNr7Q+bn81+fPly:O32pDxHF+YGXjQV/+ohhy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2820 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2820 AcroRd32.exe
2820 AcroRd32.exe

pid	process
2820	AcroRd32.exe

pid	process
2820	AcroRd32.exe
2820	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2512 wrote to memory of 2240	2512	cmd.exe	rundll32.exe
PID 2512 wrote to memory of 2240	2512	cmd.exe	rundll32.exe
PID 2512 wrote to memory of 2240	2512	cmd.exe	rundll32.exe
PID 2240 wrote to memory of 2820	2240	rundll32.exe	AcroRd32.exe
PID 2240 wrote to memory of 2820	2240	rundll32.exe	AcroRd32.exe
PID 2240 wrote to memory of 2820	2240	rundll32.exe	AcroRd32.exe
PID 2240 wrote to memory of 2820	2240	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2820

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
f35d7ceedf4a627c6039794181a4765b

SHA1
677558d84614007dbd4c63b63c20443f20b25a5e

SHA256
5e6d68592201908b20f6b64f4ca290fe91a0d3a67fbae4d3507f816f8734d335

SHA512
62f6dfa0503bf29ab3aab457c633e84eeceeff72240c78d12c33c8edb616a6bb80efb6478f1a7f3578b082dbf2a958f434bb6d8c1fce4d53c9c48bdc07f29d05

Download Submit