e5e4bc9b97c9c6fce7178373bd1d6e6204aeca5b0e9af8100cdbcaea9b8a8020

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capesolo-0.4.11/CAPEsolo/capelib/netlog.py
Size

10KB
MD5

d1ba25d6eb9ddd605204d2a67254490a
SHA1

6367b989246c72f0d1b5214db1846be414fe34d9
SHA256

44d18d381f30b11c04c8f34fb0bd2deb4753913774aa7915673d1ac60be3fe1e
SHA512

eca51ca7c14cec1b4407473aa88a6b428fc244ed3efe498e3bb26cdba24891838adea8bd5a44ad486df57f42da34554e10451e4af7e2619b37308f352ea4213c
SSDEEP

192:c+EJFvLaqAU6mkZXu86nrug4+tcn1j8MdZARsmqz:+As0ihhc1j8MnA6X

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2756 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2756 AcroRd32.exe
2756 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

pid	process
2756	AcroRd32.exe

pid	process
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1480 wrote to memory of 480	1480	cmd.exe	rundll32.exe
PID 1480 wrote to memory of 480	1480	cmd.exe	rundll32.exe
PID 1480 wrote to memory of 480	1480	cmd.exe	rundll32.exe
PID 480 wrote to memory of 2756	480	rundll32.exe	AcroRd32.exe
PID 480 wrote to memory of 2756	480	rundll32.exe	AcroRd32.exe
PID 480 wrote to memory of 2756	480	rundll32.exe	AcroRd32.exe
PID 480 wrote to memory of 2756	480	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\netlog.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\netlog.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\netlog.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
daefe11ad8dc85c031aece7e215d6ecb

SHA1
a480e75f128a2d3260874f3f1f67cd3f1f97fb75

SHA256
d6d162804c87207d6d3e894b5df2c0dc9cfa795b8c1adf9d615455e5cfce0529

SHA512
f0a820eee45642407b2e84f5a4c14a019b75ade868b71a20b271b588eda47d21854d0909bcdecd2a778f9499fe035d3fd1ed0fe978c730745224fae29cb0fc41

Download Submit