f012dd76bed797a524a762645867d40b8812bac92049cf27c61a6910fed92d01

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advanced-multitools/plugins/Serveurlookup.py
Size

5KB
MD5

cc041c1475102ef92a33209b908215bc
SHA1

af2a56646c7a3d874c322c6eab6bb60c368120af
SHA256

81e7693fa323753f65cd0236b05b7de6e6049c81f12ba88a65cbef7cf81941b5
SHA512

c8e32fa144d0ffbcb1b9cfb3bf99d4bf1d80c79e836e2431919f7f7cd4f5473e215cbfc5c359c92aa2d5c25327c90cc2450682631401d8d01de7923baf240a3f
SSDEEP

48:llRqsYUm5nIaF+iCqJ4U95BxEJfjZB2mFrEZIX52BT9cyM/VM7NB6AIta5c49ZGa:l3qsYUIF+/a4JFmpBrWOfg9qcK/

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
544	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
544	AcroRd32.exe
544	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 2440 wrote to memory of 544	2440	rundll32.exe	32
PID 2440 wrote to memory of 544	2440	rundll32.exe	32
PID 2440 wrote to memory of 544	2440	rundll32.exe	32
PID 2440 wrote to memory of 544	2440	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\advanced-multitools\plugins\Serveurlookup.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d3110f58be84713cbe13e50b34344116

SHA1
5b40a8a4745fe0ffc10a2ba29e331fb7011d0c2b

SHA256
8d05f74c43234e6021cb139ccd8fd2c990fbde9f7c09db61989e0af079ddaf01

SHA512
7fb7fd0f6016b0755dfa2f4f238368f911ee44f361231fb9fd6dc3ef9fb79ea6e3222d04bd77169d94273981b4ae3612add70f7a713a05ff7e81d1463117dc7f

Download Submit