36ea1834880711141b9c8774af22b77b7da92b5e71699cd8e0d330862b4b7a05

Analysis

max time kernel
102s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Incognito-main/exploit/api.py
Size

6KB
MD5

c32ad8b21e1190e4d7df9d87ce90ee1c
SHA1

26761dc550b5ef11665a746c5cf12cff2682eff0
SHA256

0065acc1a113e1582b050a8e9fb05a1e9f6bfa52a5657e806a35c0894a7c6aff
SHA512

6805121a126862261e509545775e89e5bc90a4823220a7cfbbbaa8f757b61127e1c2c132e76e35acc7503246a4d48256d01478e01f0749478dfbd68609a9c9b0
SSDEEP

96:yV7XxhJxmXK01xEYR8DvbE4Axbl7bTVjTm3dhA15:yBxhyZ1xEYSvC5l7bTtTgdh65

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2360	2528	cmd.exe	30
PID 2528 wrote to memory of 2360	2528	cmd.exe	30
PID 2528 wrote to memory of 2360	2528	cmd.exe	30
PID 2360 wrote to memory of 3036	2360	rundll32.exe	31
PID 2360 wrote to memory of 3036	2360	rundll32.exe	31
PID 2360 wrote to memory of 3036	2360	rundll32.exe	31
PID 2360 wrote to memory of 3036	2360	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Incognito-main\exploit\api.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Incognito-main\exploit\api.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Incognito-main\exploit\api.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8ae2f18d5694283cb0c85d6daaa3235c

SHA1
6ea25a0927d5bf727aa03cdc47e0c02118c112af

SHA256
29530a30580dfd174e509ee4d6dd0457fb3257044190d05cec7f6fe21490ba54

SHA512
44a5df051518fba23b27fc158d4370bf6f8b9795ee8a15fc602a5f8e5611631f55fcd001c01edccfcdaefd035b45f9da9761f81f214a3919061d70a984238ba4

Download Submit