c46ecfd1fd04ee8ddfa5170a0ebcd2d12288cca7ecdc97516aa80ca914847045

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Dependencies/Luau/bench/color.py
Size

993B
MD5

bbf3ecaff78853a2d7e23197441d386b
SHA1

781273882ae8a44163a916f02bb4019cb546da6a
SHA256

45c91005505d500206006ac6736ce29e9744fc6eabb645f28359e9b7b59c33f9
SHA512

467cbbc6ad955c945e16d88cdaf5027954af63b04039dd5440a5de812849ef491b23571608d64a50a2014cd260ac1d4b0fc17bbb475402fd3fb238bbb3f3ff03

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2876	AcroRd32.exe
2876	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1832	2536	cmd.exe	31
PID 2536 wrote to memory of 1832	2536	cmd.exe	31
PID 2536 wrote to memory of 1832	2536	cmd.exe	31
PID 1832 wrote to memory of 2876	1832	rundll32.exe	32
PID 1832 wrote to memory of 2876	1832	rundll32.exe	32
PID 1832 wrote to memory of 2876	1832	rundll32.exe	32
PID 1832 wrote to memory of 2876	1832	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dependencies\Luau\bench\color.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dependencies\Luau\bench\color.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dependencies\Luau\bench\color.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3f0acb3d1f33de4030a4538326033398

SHA1
22211ac10b50105d500c6ec7218c320b62c6fda6

SHA256
f87cea2b1009a0c9cc39fea2b3cc3c859bf3eff5132f81e889cfb102b5cffd26

SHA512
0db1321319360d82b84d7f25a0008ceb18646c8bc0f6b4a2930001b8a2ac085bf10bc691cab3f7741facc637b591ce8dcc4aa818a0155fa7f1eb3844fb2c86ff

Download Submit