e5e4bc9b97c9c6fce7178373bd1d6e6204aeca5b0e9af8100cdbcaea9b8a8020

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capesolo-0.4.11/CAPEsolo/capelib/parse_pe.py
Size

28KB
MD5

661a1e2a686837d53eca831ea72599eb
SHA1

58a69265e2c2a30381efdcdfd68b4e0a13673569
SHA256

705cbe2d96310371352c370fcc9d46fc5b3c81b55a87a6a533e6d4c05cd5d753
SHA512

75950d6d02a8e5d33d02e58c7401e80c88490be91ff1883f44cfe85225ceaaeb852ee08f2bd20c3aa54e9a9fbdffdfa978d8f6437c3ec22ec8f69ad04d6b4924
SSDEEP

192:E2hMbnOI9b4qOJpUxLTCEzg20pUPXlub8amXGDDpwZkWC7haLmUaaoGsVWuzgUVP:HMNepUx0pUtuIamkQeXHDkJ04KOFaLuI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

564 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

564 AcroRd32.exe
564 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

pid	process
564	AcroRd32.exe

pid	process
564	AcroRd32.exe
564	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2112 wrote to memory of 1688	2112	cmd.exe	rundll32.exe
PID 2112 wrote to memory of 1688	2112	cmd.exe	rundll32.exe
PID 2112 wrote to memory of 1688	2112	cmd.exe	rundll32.exe
PID 1688 wrote to memory of 564	1688	rundll32.exe	AcroRd32.exe
PID 1688 wrote to memory of 564	1688	rundll32.exe	AcroRd32.exe
PID 1688 wrote to memory of 564	1688	rundll32.exe	AcroRd32.exe
PID 1688 wrote to memory of 564	1688	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\parse_pe.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\parse_pe.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.11\CAPEsolo\capelib\parse_pe.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
70a07900929ea17a272e07bcd1871c7d

SHA1
946904dfab58e812704fffbd5c29b8b45268dcd8

SHA256
b039f38934286d67d641a267a19d34e9b5e08a3bc07e184c9ade10cf548c36b5

SHA512
d7a9de3a3ee24291c853af8f6968093a49d59fae05aac58b5ec5560c5c4836a7273793e8068eed0f5822a5cd6f62b671c46add6dc75b9bfebdb0d1147f2e14fa

Download Submit