b65314d02faa66713e2c3352fb89996c4b69d6377d867d4227fe8e8dbcd9e6f6

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

capesolo-0.4.13/CAPEsolo/capelib/parse_pe.py
Size

28KB
MD5

661a1e2a686837d53eca831ea72599eb
SHA1

58a69265e2c2a30381efdcdfd68b4e0a13673569
SHA256

705cbe2d96310371352c370fcc9d46fc5b3c81b55a87a6a533e6d4c05cd5d753
SHA512

75950d6d02a8e5d33d02e58c7401e80c88490be91ff1883f44cfe85225ceaaeb852ee08f2bd20c3aa54e9a9fbdffdfa978d8f6437c3ec22ec8f69ad04d6b4924
SSDEEP

192:E2hMbnOI9b4qOJpUxLTCEzg20pUPXlub8amXGDDpwZkWC7haLmUaaoGsVWuzgUVP:HMNepUx0pUtuIamkQeXHDkJ04KOFaLuI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

764 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

764 AcroRd32.exe
764 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

pid	process
764	AcroRd32.exe

pid	process
764	AcroRd32.exe
764	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2416 wrote to memory of 1924	2416	cmd.exe	rundll32.exe
PID 2416 wrote to memory of 1924	2416	cmd.exe	rundll32.exe
PID 2416 wrote to memory of 1924	2416	cmd.exe	rundll32.exe
PID 1924 wrote to memory of 764	1924	rundll32.exe	AcroRd32.exe
PID 1924 wrote to memory of 764	1924	rundll32.exe	AcroRd32.exe
PID 1924 wrote to memory of 764	1924	rundll32.exe	AcroRd32.exe
PID 1924 wrote to memory of 764	1924	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\parse_pe.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\parse_pe.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\capesolo-0.4.13\CAPEsolo\capelib\parse_pe.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2bf88aac2fd9e21793e4e167d5597d2d

SHA1
ab1b3b1c98471f8f935fc25a317d541b67c1a66b

SHA256
ae25d76721d0ccdeea6af6816f5d5502dbb25d8ebfbe1003e133e34174255359

SHA512
96e09ce2d920770a1e4c12f6fb3913f2b8407f341da5b544217a6d0a00469bd116240e73a4e97974266f0404297cdb975c24a6467ed8d48d50e798e400b251e1

Download Submit