4861dc86e0eef13b546d4a6e69e1f9ada2a81ee13bf4c2a4f55f381e6c4a2c72

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platforms/aix/local/4612.py
Size

852B
MD5

3a00f0caf3fbae527dab35d00d3b0969
SHA1

3acc5284594de2898139ef60b92736cc0c504ef0
SHA256

92d1deaa8456ec5292012315262c628bd315ba7e741a51212cf1f246dc054d2c
SHA512

3887dee78ee5d0758da52e985003aa4b31a76d196ecb578c5fc88ca5f5d00f46f4b1134faca47f5fa9ea5c0d5d16e27809b3d1e4fc8256299b6096ec46a7f162

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	AcroRd32.exe
2700	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2692	2912	cmd.exe	31
PID 2912 wrote to memory of 2692	2912	cmd.exe	31
PID 2912 wrote to memory of 2692	2912	cmd.exe	31
PID 2692 wrote to memory of 2700	2692	rundll32.exe	32
PID 2692 wrote to memory of 2700	2692	rundll32.exe	32
PID 2692 wrote to memory of 2700	2692	rundll32.exe	32
PID 2692 wrote to memory of 2700	2692	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e0d8484b14861ffe0bd15c8510da0a67

SHA1
28843c8d3e94b5c245fb40450b317f3c21289f00

SHA256
7cde2d873f357144e99648a8ee1c9c53c5fbf28cb0049a90c82a75318b27f190

SHA512
089ba33df31acd1737be8956441ee06879973c41c4d47825647ee651796f630592f7ae7172635e5da85cf68d33c236ca9904ef25f612293fad3012c48b18d603

Download Submit