f012dd76bed797a524a762645867d40b8812bac92049cf27c61a6910fed92d01

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advanced-multitools/plugins/Serveurlookup.py
Size

5KB
MD5

cc041c1475102ef92a33209b908215bc
SHA1

af2a56646c7a3d874c322c6eab6bb60c368120af
SHA256

81e7693fa323753f65cd0236b05b7de6e6049c81f12ba88a65cbef7cf81941b5
SHA512

c8e32fa144d0ffbcb1b9cfb3bf99d4bf1d80c79e836e2431919f7f7cd4f5473e215cbfc5c359c92aa2d5c25327c90cc2450682631401d8d01de7923baf240a3f
SSDEEP

48:llRqsYUm5nIaF+iCqJ4U95BxEJfjZB2mFrEZIX52BT9cyM/VM7NB6AIta5c49ZGa:l3qsYUIF+/a4JFmpBrWOfg9qcK/

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	AcroRd32.exe
2728	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1176	2292	cmd.exe	31
PID 2292 wrote to memory of 1176	2292	cmd.exe	31
PID 2292 wrote to memory of 1176	2292	cmd.exe	31
PID 1176 wrote to memory of 2728	1176	rundll32.exe	32
PID 1176 wrote to memory of 2728	1176	rundll32.exe	32
PID 1176 wrote to memory of 2728	1176	rundll32.exe	32
PID 1176 wrote to memory of 2728	1176	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ab8cb1c597c7445187d9ea56682d399d

SHA1
55e3f6bb76d839e9a0856adc5f574c763df84b52

SHA256
87286d63d1877181734a30e1b114c74d32524efa5c7ec284db18dfbe1d08ef87

SHA512
03625ff54cf144e8c0ec039096fb967484ec8b57a89fd2916631b9d4ee941726a0f81d957b2e4549968b567d2a0332f4630e99bd317cd89653398ec4e06826ba

Download Submit