9b696d0170ec20a6806b4a43fea0e2ed8d25b274611681d3fd26416d189d8e58

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Razer Synapse 3 Host/clean.py
Size

2KB
MD5

4e777936ca7fd8fa2bae957b084a33d9
SHA1

bda7bba90b9f769b1d2ca3648831f31983e4261e
SHA256

2a6f17f9f747afd690f8134ee06cbc120d952d09a8d855214fa84e1d80e43e0e
SHA512

3c1fadc4bc7d7944a933eccd0d507127572b1b6ce1f4cf0b945134c109fe100852e8b95f6fea7066d9c773125328461a33a6569bfd750d2ad5994e76d202b65d

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	AcroRd32.exe
2924	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2984	2600	cmd.exe	31
PID 2600 wrote to memory of 2984	2600	cmd.exe	31
PID 2600 wrote to memory of 2984	2600	cmd.exe	31
PID 2984 wrote to memory of 2924	2984	rundll32.exe	33
PID 2984 wrote to memory of 2924	2984	rundll32.exe	33
PID 2984 wrote to memory of 2924	2984	rundll32.exe	33
PID 2984 wrote to memory of 2924	2984	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Razer Synapse 3 Host\clean.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Razer Synapse 3 Host\clean.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Razer Synapse 3 Host\clean.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
315570440756f96e59c085b923c1039f

SHA1
c5d7ab67039c8ee6a259aeadd65f148efd34570e

SHA256
9b980f3618afa5ecf9d6f08f488df54a42b96f3c1d4231b8afd5be72b7269c30

SHA512
09ccd09fd2d8c4ada73fb1c8a27d04617c567529d8dce9cb2eab4edaaae0c56a8b24680db11c2662eb557aa5b5a58fb4370a2fe74ceebb3768d4a37a29b54d1b

Download Submit