b65314d02faa66713e2c3352fb89996c4b69d6377d867d4227fe8e8dbcd9e6f6

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capesolo-0.4.13/CAPEsolo/capelib/objects.py
Size

11KB
MD5

e8bb365fd800ac851f96c749bc8ed910
SHA1

dfa1b72f17694d9939bcda116cdcc3c09f8c7adc
SHA256

93cc23df76e2e5b113ea7fc9c155d6465cf543527881f0dbdb86a5d722bb835c
SHA512

3a4e447e3335d7309b7dc4ecdcac24d55d3ce2472dd89bb6cc61562eada708d5eba641085147639ed817deb8708a475276a48ce4bf76b4e27e55b28661327ccf
SSDEEP

192:9Ke3F1H64hqjStV5Xai3bD5c+uqDF7pAxsNBAqPMFMR:9Ke3vH64hqOtV5Xai3/6qhpAx9qPss

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2568 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2568 AcroRd32.exe
2568 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

pid	process
2568	AcroRd32.exe

pid	process
2568	AcroRd32.exe
2568	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2828 wrote to memory of 2788	2828	cmd.exe	rundll32.exe
PID 2828 wrote to memory of 2788	2828	cmd.exe	rundll32.exe
PID 2828 wrote to memory of 2788	2828	cmd.exe	rundll32.exe
PID 2788 wrote to memory of 2568	2788	rundll32.exe	AcroRd32.exe
PID 2788 wrote to memory of 2568	2788	rundll32.exe	AcroRd32.exe
PID 2788 wrote to memory of 2568	2788	rundll32.exe	AcroRd32.exe
PID 2788 wrote to memory of 2568	2788	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\objects.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\objects.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\objects.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1a6e60bd63e8ab845ea509a50925dcf3

SHA1
99392220cee9fbf4ffe00474f3f8bb498d83044c

SHA256
a7c04b5a266868360caeb498c4f53ae568adb5ac1dcb180a3cdeec20c10fbd7f

SHA512
ff9c9a7bdda7ca009ca38bd24398ce838479d5b4e36563b8aedcc1625a9da5229f907489fdc544f9102d4a8eaf3e3c6974a2888babeb879e5cb28eaf9f201f40

Download Submit