Overview

overview

3

Static

static

1

f181539ea1...b34.py

windows7-x64

3

f181539ea1...b34.py

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f181539ea1a6b62a1284e880086561b18804c99c5deb1ffbf6e3b2f2a509db34.py

  • Size

    7.5MB

  • MD5

    f30b452b28537cc5e4dbf2684d41a837

  • SHA1

    3d5756d16e9b568d655a271a0b71e994879032c9

  • SHA256

    f181539ea1a6b62a1284e880086561b18804c99c5deb1ffbf6e3b2f2a509db34

  • SHA512

    e1f487fed813b345e740ec4f27955ebe7d092749724cf18d079e7b09cb85037d15694f1991c5976ea514fe3941f553081f2b60a7c6634415ce6fac6118e52612

  • SSDEEP

    768:thzBW17YFB8B0GnbCjF2BOCyE5dv0KD1katzCx+k2Y5wWaBIzmh5ePYEDiwSriu1:thzB8EF/QD

Score
3/10
discovery

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\f181539ea1a6b62a1284e880086561b18804c99c5deb1ffbf6e3b2f2a509db34.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\f181539ea1a6b62a1284e880086561b18804c99c5deb1ffbf6e3b2f2a509db34.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f181539ea1a6b62a1284e880086561b18804c99c5deb1ffbf6e3b2f2a509db34.py"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    be5d090a4efe07958c077d89ce346c04

    SHA1

    dcb7505e7cfc92d82804876fa14c4be9f76ca8e9

    SHA256

    6fb4f07c13a6940120801896c05697191b31b06c8ec2d418b044e6d2596438f4

    SHA512

    b0612b9411e6241c67fa1f7101cc9de70ed72f10aef1ac0be7c46c645fb43bd06b9ecb486a9d8824d052a9a2082e24ea53209c5c9ecafb84619e12a2c1a4f837

    Download Submit