cecdef5d50f340a4e30590e57d378d2693caec05568d192cb59454555cd85936

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download_in.py
Size

2KB
MD5

9089a671b5642cbd804b084a50604fa7
SHA1

ebe02d9361d332a24c5d0db503b5a9094fa92acf
SHA256

cecdef5d50f340a4e30590e57d378d2693caec05568d192cb59454555cd85936
SHA512

c660491cd81a39e0e2189e789be54dde672c8be1c99b17d43bd2ba7351e0bc21e11ff404a25694b99bcc5a84271d90f67ed0e416f92fe449dc8ec5450e482121

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2216	AcroRd32.exe
2216	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2476	2956	cmd.exe	31
PID 2956 wrote to memory of 2476	2956	cmd.exe	31
PID 2956 wrote to memory of 2476	2956	cmd.exe	31
PID 2476 wrote to memory of 2216	2476	rundll32.exe	32
PID 2476 wrote to memory of 2216	2476	rundll32.exe	32
PID 2476 wrote to memory of 2216	2476	rundll32.exe	32
PID 2476 wrote to memory of 2216	2476	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\download_in.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\download_in.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\download_in.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
17cc761847462ab798063088ebf1b57f

SHA1
a7f8843b680bf7ca21fa58fa49b411ad87355fa4

SHA256
b7fb9c0e28e49a973f2e1019af36da56a7cf1c4cad2d651decdd6d73704c8818

SHA512
1b937b7d7f5119ea0e1b8431fcf984983e84c0439c4d8ab4ecd476b16d75920813d50dcb392d86ba11d9aa943417314eeb6d5898af595a5362ae891a9b01274b

Download Submit