6ba6e8958b2d684f1db859f439dbdbf527a0de31663a9dd6bee4ab587806d034

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auto_rig_pro-master/src/export_fbx/arp_fbx_init.py
Size

14KB
MD5

b92820dbed6b90ab494ba4f199a5cfb4
SHA1

7edd370e243f2f19244dd3003a4eb215cb7f1f24
SHA256

4ebafea6442ecb6eff87c79eae8760775aa9fe086f37f8e94033a8accdec5e06
SHA512

f46f3715524378dbf8f87b336350d3213ea5f357b7ae7050c2fb65594a75cb37a2caa71c0832fe83e7d56e3bbf18231e009ea8bd5ded827321ed05d16d7e81a0
SSDEEP

192:qvTNlbj+vC8s3zzwegi3rQwKMzCJcb8q8w41mG4bDNT:q5lbav6Dci3AMz9uw416

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	AcroRd32.exe
2716	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2120	2316	cmd.exe	31
PID 2316 wrote to memory of 2120	2316	cmd.exe	31
PID 2316 wrote to memory of 2120	2316	cmd.exe	31
PID 2120 wrote to memory of 2716	2120	rundll32.exe	33
PID 2120 wrote to memory of 2716	2120	rundll32.exe	33
PID 2120 wrote to memory of 2716	2120	rundll32.exe	33
PID 2120 wrote to memory of 2716	2120	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\src\export_fbx\arp_fbx_init.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\src\export_fbx\arp_fbx_init.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\src\export_fbx\arp_fbx_init.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
19456a47a7b85ff895ebe09d80e2bcf6

SHA1
59518510759669e2b8bac013a645400e583eb7bc

SHA256
0935e4328717fbb4481684fbb5dedbb48361802d4eb624466177c195ff104b8b

SHA512
06244e2c68ab2ed8ed462ef075e2d2c22af15e270d0a6f98a4598c693fa5a1c86f4d27d7e4fff3429e404d7ca612f33268d64a4f462599b9ed19639bc656b5cb

Download Submit