2795153f640f44d5fd12c73aa5291f29f3448bade08565e5e326c07184c594c3

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

automessage.py
Size

3KB
MD5

4de6baf8791574cd541aef6e0dd3ca36
SHA1

960aa24a7efec53665ef892b20c24e884edce823
SHA256

33d3bedf34de9f2c976e9eb5cee6516581c25504907ea6abab32b7294867f385
SHA512

b26cd501997d990198d5fdbb4b67027a24accfddc3b6ddefaa1d0b26f2e39648f65f9294ffd651f03ac724ea40c027f1b940348127e5f815b54a62760bc4c004

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1368	AcroRd32.exe
1368	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3056	2276	cmd.exe	31
PID 2276 wrote to memory of 3056	2276	cmd.exe	31
PID 2276 wrote to memory of 3056	2276	cmd.exe	31
PID 3056 wrote to memory of 1368	3056	rundll32.exe	32
PID 3056 wrote to memory of 1368	3056	rundll32.exe	32
PID 3056 wrote to memory of 1368	3056	rundll32.exe	32
PID 3056 wrote to memory of 1368	3056	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\automessage.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\automessage.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\automessage.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
fb24144c6d1982a94cb506807cf01891

SHA1
9229660a5358b2e0787bccc8fa9aedd682014a7c

SHA256
fbb895fbfc505f8aa03293022bb5945e28d6250055b315b60f6cce6e0b0f290b

SHA512
182a17a39b0e2fb39e77cf0aa5bc1a5947918b7f17c1a50cabdcb8d5ebb32a027f7087a4a3cfea627d091a9056966f7ae8f4b874234a4cec4cee2860d2596890

Download Submit