Resubmissions
12-11-2024 03:23
241112-dxl45sxjbk 10Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 03:23
Behavioral task
behavioral1
Sample
Requirements installer.bat
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Requirements installer.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Source Code.py
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Source Code.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
VytrixDuper.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
VytrixDuper.exe
Resource
win10v2004-20241007-en
General
-
Target
Source Code.py
-
Size
6KB
-
MD5
b8aa439871282435fe23e9fc8b982dc6
-
SHA1
3cd1425a62afbd2aa49fc528f4d9fac3d0cae728
-
SHA256
41cb1957be003b597652b9f97ae324366bea9992c2a4ffb88c4346999d54b7df
-
SHA512
ee78ddf1797f4338eb3269b56fa68270efe7a4cc80a234706eef4bc73b14376864513371dd3116f893fc6ac6a8e86c31b0434edd6ca89ba63a75174b5d6a0a55
-
SSDEEP
96:Xw1Tw/hL8s/cjbID/HWas5mNPKJ0GPafXcvwtozyJXgv3+YGMyFmnlsP:Aw/hL8s/cjO/H0mNPw8Xcvkoo4uBwlk
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2068 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2068 AcroRd32.exe 2068 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2680 2080 cmd.exe 31 PID 2080 wrote to memory of 2680 2080 cmd.exe 31 PID 2080 wrote to memory of 2680 2080 cmd.exe 31 PID 2680 wrote to memory of 2068 2680 rundll32.exe 32 PID 2680 wrote to memory of 2068 2680 rundll32.exe 32 PID 2680 wrote to memory of 2068 2680 rundll32.exe 32 PID 2680 wrote to memory of 2068 2680 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Source Code.py"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Source Code.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Source Code.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55aab78537be63911769b7ca5d29492b2
SHA145f47b2d6b1640a4dbc52e97571b7fe4f3b1f702
SHA256e8dd5dac39814b3d824e3d5f72e7937fcff4e2c0c36c1435c852e402d0867843
SHA512885ac2f12cfd15517d3b5f4e5ddf8d03a9fa846aeea8f9fc83006c8a5b2685861462ed36929bc959f87b046ca29827ac42e2691cb8c4d48f78660848c6cd42d5