b65314d02faa66713e2c3352fb89996c4b69d6377d867d4227fe8e8dbcd9e6f6

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capesolo-0.4.13/CAPEsolo/capelib/netlog.py
Size

10KB
MD5

d1ba25d6eb9ddd605204d2a67254490a
SHA1

6367b989246c72f0d1b5214db1846be414fe34d9
SHA256

44d18d381f30b11c04c8f34fb0bd2deb4753913774aa7915673d1ac60be3fe1e
SHA512

eca51ca7c14cec1b4407473aa88a6b428fc244ed3efe498e3bb26cdba24891838adea8bd5a44ad486df57f42da34554e10451e4af7e2619b37308f352ea4213c
SSDEEP

192:c+EJFvLaqAU6mkZXu86nrug4+tcn1j8MdZARsmqz:+As0ihhc1j8MnA6X

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2904 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2904 AcroRd32.exe
2904 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

pid	process
2904	AcroRd32.exe

pid	process
2904	AcroRd32.exe
2904	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2616 wrote to memory of 2404	2616	cmd.exe	rundll32.exe
PID 2616 wrote to memory of 2404	2616	cmd.exe	rundll32.exe
PID 2616 wrote to memory of 2404	2616	cmd.exe	rundll32.exe
PID 2404 wrote to memory of 2904	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 2904	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 2904	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 2904	2404	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\netlog.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\netlog.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\netlog.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a7548c4584ec8e61bc10eb93ed5f65ef

SHA1
66601c3d2d8659b6f594ca4b1da49514724c5d7f

SHA256
6d2f916f9b5363fcdd869eb0d811ab8f7015d7d6e6ebd003289fb767eec7b954

SHA512
045e2f4b62b415efcfb402855ababd2357b9c6af2b13cf36bba3785947fffce9e0467059e721e03da6a56073c4c50e192d2e72ffef4c25d00d91c0df1c4585a1

Download Submit