6ba6e8958b2d684f1db859f439dbdbf527a0de31663a9dd6bee4ab587806d034

Analysis

max time kernel
102s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auto_rig_pro-master/__init__.py
Size

5KB
MD5

cb829de0ef04923683afb18f2c92780d
SHA1

56293876e46ff1915b83f72456bedb492a24e85f
SHA256

fd32cca387f08dd536c0cfd166697cbc159c52265129cfdc34cca2eeae1cc35c
SHA512

f4ab0c719cd0ab328745b898c4c061f8ead1bd8345f4020638cadf22022900c4b6f322cfc4447d3b7d940987974c53329a621d0549ec3df53812e59bd4123ad5
SSDEEP

96:8XfzLjHiZhY8qe5cpqJQlCCBC59R2uscLdRuZu9E7NafgOxEXl6oahbsl2t/e:8Xf/eRePlaZWu9E7NxOxEXl6ocbsl2t2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	AcroRd32.exe
2772	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2680	1712	cmd.exe	30
PID 1712 wrote to memory of 2680	1712	cmd.exe	30
PID 1712 wrote to memory of 2680	1712	cmd.exe	30
PID 2680 wrote to memory of 2772	2680	rundll32.exe	31
PID 2680 wrote to memory of 2772	2680	rundll32.exe	31
PID 2680 wrote to memory of 2772	2680	rundll32.exe	31
PID 2680 wrote to memory of 2772	2680	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\__init__.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\__init__.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\auto_rig_pro-master\__init__.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cf1b146709220474ad4af45130c14985

SHA1
ee12fb89a8ef61af50598cb53c1c09cf23c327d5

SHA256
f33b09c2d6e357adc03276ea84d9995d5331530bdc4b3b0e521dbb55770f9479

SHA512
4aee24f65cb615383c1965de44f77a8f7d2c61e7a5217433a3cea807bce65429d4a863f36de5c87b0a707ad54e824a2e2da4d7d856e330e713f784c61b0059dd

Download Submit