7ab7c3855092fd3a05a2130e76f84961cb10fd885aac6d6e555aa02d2967004b

Analysis

max time kernel
14s
max time network
0s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/10/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.py
Size

129KB
MD5

49a690764a7708963d10163e49e91ffe
SHA1

2943c0ee5db4c915487da727a7191d2c42c6d1c3
SHA256

7ab7c3855092fd3a05a2130e76f84961cb10fd885aac6d6e555aa02d2967004b
SHA512

a67aacf6dc6a708da8e70fd543626b1d2839a8f79fd0c866a9e3205a8492de087ea91371e51417cc59868db83b43600866dbe328fbd403c66d10047ecc4f9ce2
SSDEEP

1536:GrZPOgijvWAlYBI1JUVZ7lnQCrJrctSZ0lH/6Qxers2kylbUPri/rola:aGlmG1JUVZ7lnQW97kylbUji/Ya

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	AcroRd32.exe
2836	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2372	2672	cmd.exe	32
PID 2672 wrote to memory of 2372	2672	cmd.exe	32
PID 2672 wrote to memory of 2372	2672	cmd.exe	32
PID 2372 wrote to memory of 2836	2372	rundll32.exe	33
PID 2372 wrote to memory of 2836	2372	rundll32.exe	33
PID 2372 wrote to memory of 2836	2372	rundll32.exe	33
PID 2372 wrote to memory of 2836	2372	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a20ae8f46f72bf24e9f3d73a42b3741c

SHA1
b48635225fa76d031a0ac713af12d68f5ca449d9

SHA256
430b7ab600286ad0589acac399bf713d2ff6d8e7a464079a4ca9a1b1b7a19480

SHA512
6f4463208facfb23c9b6a8595ddebc41880df08ec82b6baf72c631ddf2fa4ed4bb63cf14633dc6f23e15fd9c228b9a19139289c7c04b464d5b761777842097bf

Download Submit