ec57db3a01842d649a50f90eff632dd05edde36d0fe72b2d4177e1e67ca3b479

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UntitledNuker-master/src/UntitledNuker.py
Size

21KB
MD5

de5043cfbbfa73015e277e1b141e9088
SHA1

f19481f09dd9f82fd4d70de52313cbd87e5a1dce
SHA256

e7bcf41e37c6919b180cf9372e850ceb3bb2fd14a23f757e802148a60e5dd937
SHA512

9ffa8ca75bf6b5c9cc850a219e68ac1474466bbeb890b1ff522f44407df9606add44b06f5c56aa4b70b78b2023144a8fabf67818fe469147c0b54ec3e7dcb459
SSDEEP

192:0x9tq/z2FmB5b+bf8pmRIlrUkPIa5mco8B/BCpoxlgfxM+jncSxU4AsSQa/gQYjt:0rY+b3JkPIJO8TiXk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2736 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2736 AcroRd32.exe
2736 AcroRd32.exe

pid	process
2736	AcroRd32.exe

pid	process
2736	AcroRd32.exe
2736	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2928 wrote to memory of 2664	2928	cmd.exe	rundll32.exe
PID 2928 wrote to memory of 2664	2928	cmd.exe	rundll32.exe
PID 2928 wrote to memory of 2664	2928	cmd.exe	rundll32.exe
PID 2664 wrote to memory of 2736	2664	rundll32.exe	AcroRd32.exe
PID 2664 wrote to memory of 2736	2664	rundll32.exe	AcroRd32.exe
PID 2664 wrote to memory of 2736	2664	rundll32.exe	AcroRd32.exe
PID 2664 wrote to memory of 2736	2664	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2736

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
41e8ac338cde0c7b8a77936e5dfd45de

SHA1
3da00407a2be321c6b9d5030eb681e9e61526ad1

SHA256
95e7ef023282ad8209fb284a7aa0d73ee851536f6714f7628c91d90f9e5afb9f

SHA512
270cf89d98d8b5a23d435bcc1140c4234933d77bb52752fd82e19d5794a01a108a92cafc60e1409103c2d23fe451e0e66cc5edf2c78c43894308c5b443e59fc7

Download Submit