Analysis
-
max time kernel
34s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 23:16
Behavioral task
behavioral1
Sample
V3NOM FINAL V.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
V3NOM FINAL V.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
misc.pyc
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
misc.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
source_prepared.pyc
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
source_prepared.pyc
Resource
win10v2004-20240709-en
General
-
Target
source_prepared.pyc
-
Size
173KB
-
MD5
455f62b850ee95869e2b7d4dc6595bf3
-
SHA1
b7d1ccba975bd135f667b283bf923689b12ac560
-
SHA256
892727febef17566a71923a681cd87db4c5c0046a95fbf62304f2ee73fe60ea3
-
SHA512
cda9bcbf94c348705d63a921aa5a06ddcfa9d701b7c5a653d3eaed879244892a67fd65bcd7ea6debefc984b790dca0824b697914fc5dace9d8105a475fc15afd
-
SSDEEP
3072:+rIhk0aOO22A1VSUkosPZTJ0pZyScWaQV+AcwIvdXzvsTWu:+rEk0aOO22ApkoHpL9EAAsP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2556 AcroRd32.exe 2556 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2328 wrote to memory of 2700 2328 cmd.exe rundll32.exe PID 2328 wrote to memory of 2700 2328 cmd.exe rundll32.exe PID 2328 wrote to memory of 2700 2328 cmd.exe rundll32.exe PID 2700 wrote to memory of 2556 2700 rundll32.exe AcroRd32.exe PID 2700 wrote to memory of 2556 2700 rundll32.exe AcroRd32.exe PID 2700 wrote to memory of 2556 2700 rundll32.exe AcroRd32.exe PID 2700 wrote to memory of 2556 2700 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5391d8f37936746746789c6ba747f09cc
SHA1c52639d926b16c28a6a030a9f807f461544d10a0
SHA256d393df04a745f82fdeedbbdbe464da6dbe2e491a738557dd0b80c80042410987
SHA5120a82fa6d552293eaa69f4c900cfe128649d594f79510571754cd1c66e853811c9947166a4a628dab5773bbec67443abc01fd712b30204f43f22ba4b5f969201f