Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 17:53
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
loader-o.pyc
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
loader-o.pyc
Resource
win10v2004-20241007-en
General
-
Target
loader-o.pyc
-
Size
1KB
-
MD5
f7a0ef8605877d2c5c445cd1cd7ca182
-
SHA1
53011f1c3a9cdf7fc110d69cd2450a2a6fb601da
-
SHA256
860c0a45a4ee72fa9fd326629f16b7b45f773932e6be0e2b51ef278e28189cd6
-
SHA512
90f2e0a51ac2f12288265565908dd9d54b56e4f792a4526054ed0e481e5a78c195ddda8564d24b3023220ca52869273337e7443f07f76b41db6c04272dee7974
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2620 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2620 AcroRd32.exe 2620 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1272 2840 cmd.exe 31 PID 2840 wrote to memory of 1272 2840 cmd.exe 31 PID 2840 wrote to memory of 1272 2840 cmd.exe 31 PID 1272 wrote to memory of 2620 1272 rundll32.exe 32 PID 1272 wrote to memory of 2620 1272 rundll32.exe 32 PID 1272 wrote to memory of 2620 1272 rundll32.exe 32 PID 1272 wrote to memory of 2620 1272 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\loader-o.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\loader-o.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\loader-o.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD564da1f7a5414d0ecad513aa354050069
SHA15b95ab70ffa47f822a0c592203df5e900ac14b6a
SHA2569efba3daa91a16986aac69377ffa4c1b171e2735eb0df80555cd4ff62759dd12
SHA512840fff6dd97ba8995c56dda73517ca0b67d63617917ee6827fdc0ab5f8931863f092d9f4181ea6b5e5c86917bbe9c06e353f44abf88a3b7b470f81fa1854aa69