Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 17:36
Behavioral task
behavioral1
Sample
UntitledNuker-master/UntitledNuker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
UntitledNuker-master/UntitledNuker.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
UntitledNuker-master/src/UntitledNuker.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
UntitledNuker-master/src/UntitledNuker.py
Resource
win10v2004-20240508-en
General
-
Target
UntitledNuker-master/src/UntitledNuker.py
-
Size
21KB
-
MD5
de5043cfbbfa73015e277e1b141e9088
-
SHA1
f19481f09dd9f82fd4d70de52313cbd87e5a1dce
-
SHA256
e7bcf41e37c6919b180cf9372e850ceb3bb2fd14a23f757e802148a60e5dd937
-
SHA512
9ffa8ca75bf6b5c9cc850a219e68ac1474466bbeb890b1ff522f44407df9606add44b06f5c56aa4b70b78b2023144a8fabf67818fe469147c0b54ec3e7dcb459
-
SSDEEP
192:0x9tq/z2FmB5b+bf8pmRIlrUkPIa5mco8B/BCpoxlgfxM+jncSxU4AsSQa/gQYjt:0rY+b3JkPIJO8TiXk
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2736 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2736 AcroRd32.exe 2736 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2928 wrote to memory of 2664 2928 cmd.exe rundll32.exe PID 2928 wrote to memory of 2664 2928 cmd.exe rundll32.exe PID 2928 wrote to memory of 2664 2928 cmd.exe rundll32.exe PID 2664 wrote to memory of 2736 2664 rundll32.exe AcroRd32.exe PID 2664 wrote to memory of 2736 2664 rundll32.exe AcroRd32.exe PID 2664 wrote to memory of 2736 2664 rundll32.exe AcroRd32.exe PID 2664 wrote to memory of 2736 2664 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\UntitledNuker-master\src\UntitledNuker.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD541e8ac338cde0c7b8a77936e5dfd45de
SHA13da00407a2be321c6b9d5030eb681e9e61526ad1
SHA25695e7ef023282ad8209fb284a7aa0d73ee851536f6714f7628c91d90f9e5afb9f
SHA512270cf89d98d8b5a23d435bcc1140c4234933d77bb52752fd82e19d5794a01a108a92cafc60e1409103c2d23fe451e0e66cc5edf2c78c43894308c5b443e59fc7