4e15af88aac65f1ac73a9ec2d18df57f44d37f19b38cc005f0b9daf4233d57ae

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

epigrass-1.5.1/Epigrass/epigdal.py
Size

15KB
MD5

36af9ee46969081937ea08289c8c5519
SHA1

329eb1e4666a9d739842fbbb36d16937ab350b0b
SHA256

56590df2fa1472bf4ac9ab2f8ffbd2bc496f0fadb5eb3ab6b0616d5470924e46
SHA512

8f25ed13316f953fe812137ea53b173a7112b269314367c36eded974701c2b40a6663218b4b0187d19aa08b8697074bae5d6b97b098ea2ecb27c698c342d6178
SSDEEP

384:Eih35Glc5es47UvAyRt2oaLc1y40G/eLoPbOJd8gls5Mui:Ei15Glc5es4Yvjt9kD4f/4MbOH8glsuL

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.py	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	AcroRd32.exe
2264	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2056	2236	cmd.exe	31
PID 2236 wrote to memory of 2056	2236	cmd.exe	31
PID 2236 wrote to memory of 2056	2236	cmd.exe	31
PID 2056 wrote to memory of 2264	2056	rundll32.exe	33
PID 2056 wrote to memory of 2264	2056	rundll32.exe	33
PID 2056 wrote to memory of 2264	2056	rundll32.exe	33
PID 2056 wrote to memory of 2264	2056	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\epigrass-1.5.1\Epigrass\epigdal.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\epigrass-1.5.1\Epigrass\epigdal.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\epigrass-1.5.1\Epigrass\epigdal.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
328669df23bdb4e9fba4ef6083adfbe9

SHA1
a422e8c830313be02f55ae93401d0768c4f559a8

SHA256
57a93b490ed79d22646e94d6deedadb90133f5b78caa2de5085227bdb816fb25

SHA512
ca335941726f6206ab0bd4a4e727203c39c0ac6a831fb1e0a9017aaca4ab46efaed3ee2d31402282e8e6bef83cb6fe923d3148f3546a5a091d8174cb21083bb1

Download Submit