Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 21:20
Behavioral task
behavioral1
Sample
v2/Main.py
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
v2/Main.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
v2/Run.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
v2/Run.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
v2/recaptcha_bypass.py
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
v2/recaptcha_bypass.py
Resource
win10v2004-20240802-en
General
-
Target
v2/recaptcha_bypass.py
-
Size
3KB
-
MD5
51e652a04855251d52d5da921871422e
-
SHA1
ea1ef3a0b6d80d4d397d0dc6f59e3a97f7e66a49
-
SHA256
d99d0bd5f313e82444e34ff237184f6f3300dbcc2785a96de7702e68ac710896
-
SHA512
6934f8d33f957d24df66f1c8d2675f72613504114f234c6159dabfd8da9e956524809fc5c147e0146ae909ad333f24b848abbff9a84f65d81c76de48408aecf2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2272 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2272 AcroRd32.exe 2272 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 764 wrote to memory of 2656 764 cmd.exe 32 PID 764 wrote to memory of 2656 764 cmd.exe 32 PID 764 wrote to memory of 2656 764 cmd.exe 32 PID 2656 wrote to memory of 2272 2656 rundll32.exe 33 PID 2656 wrote to memory of 2272 2656 rundll32.exe 33 PID 2656 wrote to memory of 2272 2656 rundll32.exe 33 PID 2656 wrote to memory of 2272 2656 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v2\recaptcha_bypass.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD569c2b7fc3d3bd0ebf699dbe5aaae67f7
SHA1866111f3952073c21ac33036dbe76044fdf6870a
SHA256c525517c389e85ec22d501f405704a169d8a4e2717e0014f2447f8a0bf97a4d1
SHA512431905d962b3d9b15fdaf7c8a86165316fbc964f95a0d5418c7460d5fc206fb677ed712abe0073df135ae8b802a52f614e55e8715b3edf2f2bc6017f6dd37229