Analysis
-
max time kernel
102s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
OpenMe.py
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
OpenMe.py
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
PluginStarter/StartCola.cmd
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
PluginStarter/StartCola.cmd
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
python-3.12.4-amd64.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
python-3.12.4-amd64.exe
Resource
win10v2004-20240709-en
General
-
Target
OpenMe.py
-
Size
503B
-
MD5
89f9c3eefdfb8ac2f5512c37831041d2
-
SHA1
ae680be1207291d5207072ca81283b6877d0b4b3
-
SHA256
9a10f144b4a040934cddbcf91426622805a5670e95c19bc86d434811971db973
-
SHA512
8a83123c18535533291f6d2742f1ef6eb24b9faec66bd682ccad3532d087bce438f44e7f912554b97d48ff9f3b4e78c7955b8f5af470a72d480f69c6f8dd6869
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe 2976 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3000 wrote to memory of 2984 3000 cmd.exe rundll32.exe PID 3000 wrote to memory of 2984 3000 cmd.exe rundll32.exe PID 3000 wrote to memory of 2984 3000 cmd.exe rundll32.exe PID 2984 wrote to memory of 2976 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2976 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2976 2984 rundll32.exe AcroRd32.exe PID 2984 wrote to memory of 2976 2984 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\OpenMe.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OpenMe.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OpenMe.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5f0340bf42ae8a6d45b17e278228354a9
SHA1458a591c291060b22fbb6c7dca6eaf7fbcdfe49e
SHA256ce593784650446409575ba80d7bc15ac4d58b36d6f63e6dd7bad52d3830b27bd
SHA512cf066a04ad65bcb44a5b51ccf642a1b35525b02b1472bda6c1825325eddc3c5af90bbaef3d463e85054a8ed42f6860e9225c05200697cfd915d754e4005e04fd