222a95474744c4152632a32f39113b2e4463b687176165a156ea37b0128ae4ea

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vortex/__pycache__/lunar.cpython-312.pyc
Size

3KB
MD5

537692781ea1bbc26e6cff054bbf723e
SHA1

da6cf2cc5fb8902db6027ec0cf9d60f7aa41c36c
SHA256

93b0b0a52938648ff114aeafe9b62a16ec181980d2333c21d610501fb86b138f
SHA512

a89b9e78be3830f829c4aa2036e661782db0a3ebd9029f643c96494216c8c43cfe1998736347747c5b9149e915bc3e50822cf57f8811004c4290e4340eaa1f8e

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	AcroRd32.exe
2788	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2828	2360	cmd.exe	32
PID 2360 wrote to memory of 2828	2360	cmd.exe	32
PID 2360 wrote to memory of 2828	2360	cmd.exe	32
PID 2828 wrote to memory of 2788	2828	rundll32.exe	33
PID 2828 wrote to memory of 2788	2828	rundll32.exe	33
PID 2828 wrote to memory of 2788	2828	rundll32.exe	33
PID 2828 wrote to memory of 2788	2828	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Vortex\__pycache__\lunar.cpython-312.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Vortex\__pycache__\lunar.cpython-312.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Vortex\__pycache__\lunar.cpython-312.pyc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3984039793909d44aec2ef5e84bcbd4f

SHA1
d222d9e4f86e74c0989c5f8db1ee4a886d66227f

SHA256
b27db9a96f8379b9233980ba8755b4a93cdd5e7928a2d352233fb4a630d7e307

SHA512
91fedc23e1525a53486464de6c5b7dc6cd89cd1e939caada4d9fae82e7dead87efccaba27efcf00589423475d8282205f651b165ec1c1f2778aaec5f07def117

Download Submit