f918a13dc2c83df5da9e9243a4f39420a40314c39982af4b4d402001e0968e39

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela-V2.0-main/builder.py
Size

9KB
MD5

c334e5c6dbdc27f8e8b48d1dac286f23
SHA1

4bc5853e91ad009c82efb16b8b4db489ea762995
SHA256

27ebc271f47bd76b63b5f3aa36b7f0587f3bd543c9ca5e0e89719df54ef82f73
SHA512

2de1d4879194e664d5d0911d1c36b6bf7c89fc25e86890e7028398c657ecb667564df08db7d7436a04a3cf7b1db30eb8ecd252b71281ca7b1523139871c47a13
SSDEEP

192:+m8jnYv13epp3UfI2Pa/fcjzgLu1krJUPjDxsOl/Zapl:+m4nM1upp39V8ELblU7DxsOfw

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	AcroRd32.exe
2508	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2332	3012	cmd.exe	30
PID 3012 wrote to memory of 2332	3012	cmd.exe	30
PID 3012 wrote to memory of 2332	3012	cmd.exe	30
PID 2332 wrote to memory of 2508	2332	rundll32.exe	31
PID 2332 wrote to memory of 2508	2332	rundll32.exe	31
PID 2332 wrote to memory of 2508	2332	rundll32.exe	31
PID 2332 wrote to memory of 2508	2332	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\builder.py
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\builder.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\builder.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0a61b0ab2bd0b96f421faba3ad04ccc2

SHA1
785110e9581f5a56e9a264a2c4bb7ac4163ad2e7

SHA256
4c8f857f74eb2c77d9544ac081943d88433b9d7b16af29d13d3cdb7b9775a233

SHA512
da227df5aa0a71fa3786bf2735a3b2015ec9727e2356a1aa9ff782c9728f677bfce6b481cc822d5239de9e01be666d82f5a8d8a0f9373762044f086cf9336126

Download Submit