3cfb5e4c47015ffff48609e8400770850a61d53e59259cba2a0b1c36a88c9aab

Resubmissions

03-10-2024 14:37

241003-ry6f3azgnm 10

02-10-2024 18:00

241002-wlawvazanm 10

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sim.py
Size

20KB
MD5

0c472b2e6618aca50cb2dff20cd51562
SHA1

df5a0d16ee26aa97087c9d1cd28e08632bcd6000
SHA256

3cfb5e4c47015ffff48609e8400770850a61d53e59259cba2a0b1c36a88c9aab
SHA512

17ac9ba0eb34fb86bdc2cec890f54b0a802b8535c05bfa8479e69a63c352eba51b9df04eb66b03a431921de7bde368d5a7a2edb6217b7b2871f4cdc1a114a1dc
SSDEEP

384:GRExTcSVqPb61rNykWy/k74Fft1froMzZOguu:NxTcSVqPb6N/7oIeu

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2556 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2556 AcroRd32.exe
2556 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

pid	process
2556	AcroRd32.exe

pid	process
2556	AcroRd32.exe
2556	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 2592	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 2592	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 2592	2028	cmd.exe	rundll32.exe
PID 2592 wrote to memory of 2556	2592	rundll32.exe	AcroRd32.exe
PID 2592 wrote to memory of 2556	2592	rundll32.exe	AcroRd32.exe
PID 2592 wrote to memory of 2556	2592	rundll32.exe	AcroRd32.exe
PID 2592 wrote to memory of 2556	2592	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sim.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sim.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sim.py"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a54969beda7d6f92a35cb30cbce636e2

SHA1
839eb0d2a1573d782cc70ab02c5aae292d5ae4ae

SHA256
2fa0d9d5da320edb9a1fbde4c803d7163afea7c4a88661ed642b59aaaaecf4d6

SHA512
9476ef790932720c44376f9fb765deeb98bd31fdf51443ebefdf752acd6b6646468efc5a871b97d55dc21ac766eade6228895a56799d0f5ae31312ba65edad23

Download Submit