a99de695bdc022b6ec1f08b810f50bacf9d1795b0fb30046123a19c47c4cf086

Analysis

max time kernel
103s
max time network
52s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDA Pro 8.3.230608 (x86, x86_64)/python/examples/core/add_hotkey.py
Size

996B
MD5

c60df134ff1fd735abb09677fc751798
SHA1

722cebe716d12d2f13dfb4812482e48ca57b436e
SHA256

8165883ce79e4b2342f8a6644dbededcc04ec279064339b77f54aba16f9cc967
SHA512

e7ee556235a2430d8bf14b1eb47154016e69cf8fd902d9c43e7acd4158bea901f7f4f1f8d6d4b1a8789d2a7ad2c5e199aaf3b03e0197231543dceda052f4dff0

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	AcroRd32.exe
2800	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2872	1668	cmd.exe	30
PID 1668 wrote to memory of 2872	1668	cmd.exe	30
PID 1668 wrote to memory of 2872	1668	cmd.exe	30
PID 2872 wrote to memory of 2800	2872	rundll32.exe	31
PID 2872 wrote to memory of 2800	2872	rundll32.exe	31
PID 2872 wrote to memory of 2800	2872	rundll32.exe	31
PID 2872 wrote to memory of 2800	2872	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IDA Pro 8.3.230608 (x86, x86_64)\python\examples\core\add_hotkey.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\IDA Pro 8.3.230608 (x86, x86_64)\python\examples\core\add_hotkey.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IDA Pro 8.3.230608 (x86, x86_64)\python\examples\core\add_hotkey.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
29e638f19be577830fa9de4a85b93896

SHA1
e6bc6a2d42233c22e9d8df0c1c49998d02d5ae0a

SHA256
83f4b94b251849199af7a06a2dc7f71ec8f424cc535a267429f555a2e872ff2f

SHA512
0ad7376fc930381e2807087f0f79674eb81226a953a8acc6674282208a906b37b9c11aef9fb90bef71d39ceedb695855151bd49b71919c15aa3d3260b3c09902

Download Submit