Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
LSlogon.py
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
LSlogon.py
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
python-3.12.4-amd64 (1).exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
python-3.12.4-amd64 (1).exe
Resource
win10v2004-20240709-en
General
-
Target
LSlogon.py
-
Size
1KB
-
MD5
68f0a454821aebd66b4eb3babcdf91d1
-
SHA1
8f51343e4d49d04284d6493ea30f9b71c9b84f40
-
SHA256
4c81464cf5f43c89579631c0585b0e8add282922cc1dcb7e58a8eb0062406f3f
-
SHA512
90412161575a0a8ef7534639812539236ae3979bdf02f0d8ca728b0f54c9582f87a2088581c78d9deb914f7518249ad98397dca5db09ec395e9f4824cf061d58
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 3000 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 3000 AcroRd32.exe 3000 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3068 wrote to memory of 2760 3068 cmd.exe rundll32.exe PID 3068 wrote to memory of 2760 3068 cmd.exe rundll32.exe PID 3068 wrote to memory of 2760 3068 cmd.exe rundll32.exe PID 2760 wrote to memory of 3000 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 3000 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 3000 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 3000 2760 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\LSlogon.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\LSlogon.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LSlogon.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD509659f287431325009682fdc2de9e74f
SHA18ed030a3815c1689588ebfce64cb57c513007274
SHA25697dcc87fbabeb2d3fd45447c50c0120d34eecbca0fa0bdfd50272e4618d8532f
SHA5128ab77b13460b257083492b164f62d8f44fd9cd2a0af3b8bc8fa23b8f02281ad342000764c40c7eba1edefcf4383f49adf9a036a94c738a1a92ee344dae364a17