Overview
overview
7Static
static
3Batch CIA ...or.zip
windows7-x64
1Batch CIA ...or.zip
windows10-2004-x64
1Batch CIA ...or.bat
windows7-x64
1Batch CIA ...or.bat
windows10-2004-x64
1ctrtool.exe
windows7-x64
1ctrtool.exe
windows10-2004-x64
1decrypt.exe
windows7-x64
7decrypt.exe
windows10-2004-x64
7decrypt.pyc
windows7-x64
3decrypt.pyc
windows10-2004-x64
3makerom.exe
windows7-x64
1makerom.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 21:23
Behavioral task
behavioral1
Sample
Batch CIA 3DS Decryptor.zip
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Batch CIA 3DS Decryptor.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Batch CIA 3DS Decryptor.bat
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Batch CIA 3DS Decryptor.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
ctrtool.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
ctrtool.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
decrypt.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
decrypt.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
decrypt.pyc
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
decrypt.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
makerom.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
makerom.exe
Resource
win10v2004-20240704-en
General
-
Target
decrypt.pyc
-
Size
15KB
-
MD5
d8190edf92bc2fb111cd8f3563e100dd
-
SHA1
bdcd6ec7925de3937875123bfde603e742d884a2
-
SHA256
c3ab2e8d826e37932b4ed23d4d4cc3a5094e83aeee6c31094aeab042a1d7fcb9
-
SHA512
499d057edc0b77d6d6570f28cc0f489768440fea1ff5cc6b5b3090b086dd10bdf6944e589694a255489d883c7ec336b69f43c4314bfbb17f1979763ad63f97eb
-
SSDEEP
384:wr/QD2INAgOFnLeb6LJwTWwH3s/DDv5JjBHxvZcZey:wbBIqg8nRiWwH3s/fxJlXAJ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2192 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2800 AcroRd32.exe 2800 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1488 wrote to memory of 2192 1488 cmd.exe rundll32.exe PID 1488 wrote to memory of 2192 1488 cmd.exe rundll32.exe PID 1488 wrote to memory of 2192 1488 cmd.exe rundll32.exe PID 2192 wrote to memory of 2800 2192 rundll32.exe AcroRd32.exe PID 2192 wrote to memory of 2800 2192 rundll32.exe AcroRd32.exe PID 2192 wrote to memory of 2800 2192 rundll32.exe AcroRd32.exe PID 2192 wrote to memory of 2800 2192 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\decrypt.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decrypt.pyc2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decrypt.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2800