bff471ca32dc07d8eeb7073ad2412c9f13be7e8edabb3beda4aede289311b93e

Resubmissions

03/09/2024, 02:46

240903-c9rdysvenp 3

03/09/2024, 02:45

240903-c83etsveml 3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Butter free - G2/Hide.py
Size

27KB
MD5

130fd80b0b7659fa3287469b4f8d6fa2
SHA1

5136dca35087d8aeef1f8ba8e0980fcf61764bec
SHA256

c1eb0a0087d29cd6ea06bd18e47f5446726f2fdb6943e7b2beba2ebaa8dd4e7a
SHA512

85c8439eebf8c94154370674317aa7d754503b0a844a6946a6066e4b51b62fbd7fd4854c7a4ccf0a32b8db3a078a58fcb806ae9014f0550da7b33ed55a7739f1
SSDEEP

384:RxllNPA+WpztZjgzcJ4oAhjibce08zrXcQxvmIN4t:FA7fZjUcJxAhocpnEeIN4t

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\py_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	AcroRd32.exe
2912	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2692	2116	cmd.exe	32
PID 2116 wrote to memory of 2692	2116	cmd.exe	32
PID 2116 wrote to memory of 2692	2116	cmd.exe	32
PID 2692 wrote to memory of 2912	2692	rundll32.exe	33
PID 2692 wrote to memory of 2912	2692	rundll32.exe	33
PID 2692 wrote to memory of 2912	2692	rundll32.exe	33
PID 2692 wrote to memory of 2912	2692	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Butter free - G2\Hide.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Butter free - G2\Hide.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Butter free - G2\Hide.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1b82e9b1250fbe41aef8d92d34890006

SHA1
cd494c2388e11473f676e0ed46ce80fd444cebda

SHA256
b52f67b16d572afcf38d64fcd529695a828fbe931f2499a146c10bb59b07d6bd

SHA512
08e57a13eeb94abab4d5418a0bc62defdd7202ad1cf861d7b87c0f0cef2dad5765a547b4800c1fbf15f3e0335a3103daebb9b1ce990b081b8b602c9d328ad06d

Download Submit