4ab756f03eb0b4b9a9440403bafe4bc4f37d418555dc2e40ef451aa87dd5176b

Analysis

max time kernel
102s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solyum-defibot/exchange_api.py
Size

1KB
MD5

67c132b7e925a5cd290e3496d3fbcd9f
SHA1

92a78d34eae3e7d4e8d2e3bfb46740cd839ad86c
SHA256

23d9613338e2bf4ce0bbc4b77a87eff33ae709b6f11532496c038218a350c4d0
SHA512

70736d82a4f48ef816aae80853485f0873fdb2b6c47bb13794bb611b29b57f97983210ce57878634d23d98ecf3fa1ecfe9df4c3bafeb864780cd432e6f9e1d83

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2976	AcroRd32.exe
2976	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 2920	600	cmd.exe	31
PID 600 wrote to memory of 2920	600	cmd.exe	31
PID 600 wrote to memory of 2920	600	cmd.exe	31
PID 2920 wrote to memory of 2976	2920	rundll32.exe	32
PID 2920 wrote to memory of 2976	2920	rundll32.exe	32
PID 2920 wrote to memory of 2976	2920	rundll32.exe	32
PID 2920 wrote to memory of 2976	2920	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Solyum-defibot\exchange_api.py
1⤵
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solyum-defibot\exchange_api.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solyum-defibot\exchange_api.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ad0b31a57dc5684e31d280d52fac9203

SHA1
d80469006d9f4e63c379e7da5a9c2b05279a2df6

SHA256
5d239f5c6e389639a17842febe7c4cba019591a6c0c868b7b50ec88249ff0813

SHA512
a094dc1b9ebc43aa1f771b6dee34834ad7f469e4c79a4a70217fb9ea412e364521331d508e35a9192183721b86d16750bbf13e3b6bfce1646fbcbb22be293176

Download Submit