82906c8ce512d1d4e4436e48846a20d7a7f6cc85e6609f79e2177a5cc4f0742c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sim.py
Size

3.8MB
MD5

cb19e2f6e76eb6234c4612802ba74ba7
SHA1

c04f7302315afa60f2a90af7c232c42fc27956e4
SHA256

82906c8ce512d1d4e4436e48846a20d7a7f6cc85e6609f79e2177a5cc4f0742c
SHA512

8b0b09410ccc705c5290ef17f9428643bead10a5daa813b4654d7dd9ed413b2504ef5d07c39e037c7ea988beeeddf522bb999b8127c11489c5db642e19b4ae4b
SSDEEP

384:KRExTcSVqPb61rNykWy/k74Fft1froMzZxuF:RxTcSVqPb6N/7oIWF

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2608 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2608 AcroRd32.exe
2608 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

pid	process
2608	AcroRd32.exe

pid	process
2608	AcroRd32.exe
2608	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2288 wrote to memory of 2832	2288	cmd.exe	rundll32.exe
PID 2288 wrote to memory of 2832	2288	cmd.exe	rundll32.exe
PID 2288 wrote to memory of 2832	2288	cmd.exe	rundll32.exe
PID 2832 wrote to memory of 2608	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2608	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2608	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2608	2832	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sim.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sim.py
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sim.py"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
bd2f9412c5a5773382037078554d5b8e

SHA1
62ed191c3df21b3aee14782e6570625a18eb626e

SHA256
b8f2f41a356c560b9c88d8d0cf608d93c2bc26b58ec245b9c7c4a04967651afb

SHA512
21c9a57e69b3661783465bd52b29803b6706b5126b22e538abafdd1bed5d03b879c021843f6b10d5555ccb2284c398b106a5a76be6cbc7f4c8a24e587b788cad

Download Submit