Overview
overview
10Static
static
10Incognito.exe
windows7-x64
7Incognito.exe
windows10-2004-x64
8bin/incogn...au.dll
windows7-x64
1bin/incogn...au.dll
windows10-2004-x64
1_collections_abc.pyc
windows7-x64
3_collections_abc.pyc
windows10-2004-x64
3_weakrefset.pyc
windows7-x64
3_weakrefset.pyc
windows10-2004-x64
3abc.pyc
windows7-x64
3abc.pyc
windows10-2004-x64
3codecs.pyc
windows7-x64
3codecs.pyc
windows10-2004-x64
3collection...__.pyc
windows7-x64
3collection...__.pyc
windows10-2004-x64
3collections/abc.pyc
windows7-x64
3collections/abc.pyc
windows10-2004-x64
3copyreg.pyc
windows7-x64
3copyreg.pyc
windows10-2004-x64
3encodings/...__.pyc
windows7-x64
3encodings/...__.pyc
windows10-2004-x64
3encodings/aliases.pyc
windows7-x64
3encodings/aliases.pyc
windows10-2004-x64
3encodings/ascii.pyc
windows7-x64
3encodings/ascii.pyc
windows10-2004-x64
3encodings/...ec.pyc
windows7-x64
3encodings/...ec.pyc
windows10-2004-x64
3encodings/big5.pyc
windows7-x64
3encodings/big5.pyc
windows10-2004-x64
3encodings/...cs.pyc
windows7-x64
3encodings/...cs.pyc
windows10-2004-x64
3encodings/...ec.pyc
windows7-x64
3encodings/...ec.pyc
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 23:00
Behavioral task
behavioral1
Sample
Incognito.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Incognito.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
bin/incognito-luau.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
bin/incognito-luau.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
_collections_abc.pyc
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
_collections_abc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
_weakrefset.pyc
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
_weakrefset.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
abc.pyc
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
abc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
codecs.pyc
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
codecs.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
collections/__init__.pyc
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
collections/__init__.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
collections/abc.pyc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
collections/abc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
copyreg.pyc
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
copyreg.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
encodings/__init__.pyc
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
encodings/__init__.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
encodings/aliases.pyc
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
encodings/aliases.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
encodings/ascii.pyc
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
encodings/ascii.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
encodings/base64_codec.pyc
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
encodings/base64_codec.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
encodings/big5.pyc
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
encodings/big5.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
encodings/big5hkscs.pyc
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
encodings/big5hkscs.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
encodings/bz2_codec.pyc
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
encodings/bz2_codec.pyc
Resource
win10v2004-20241007-en
General
-
Target
_collections_abc.pyc
-
Size
50KB
-
MD5
60b1b6f71502b5af1e52305a2a0b1db3
-
SHA1
7e3d6f0c2dbfa11bc5d46162c1b995c48ef0bf97
-
SHA256
575c455c2d7630afb48bc76c7320544c57739c7660b4320d0aaec909234c0572
-
SHA512
62e478a77c535c4bb1e1297d6f7cc5248c4122ec66192b34b28d6cf5019df96ee24503972af4b0f71a20806c12cbb40722436178a7b4b29f4af92a8dd75f5dcc
-
SSDEEP
768:4W0g3LUXl5SPb9TycwdvkimlmAQ4sqL7+w/jEthRUeRKivBjjW:4W0g3LEGe1vkimlmAQRqLShRUGO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2856 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2856 AcroRd32.exe 2856 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1796 2460 cmd.exe 32 PID 2460 wrote to memory of 1796 2460 cmd.exe 32 PID 2460 wrote to memory of 1796 2460 cmd.exe 32 PID 1796 wrote to memory of 2856 1796 rundll32.exe 33 PID 1796 wrote to memory of 2856 1796 rundll32.exe 33 PID 1796 wrote to memory of 2856 1796 rundll32.exe 33 PID 1796 wrote to memory of 2856 1796 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\_collections_abc.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57555a96a0a3a8f383b96ea4e18af02ef
SHA1bb651f08244e562c149030acfff78ca54770a70f
SHA2561f8482891537bd78a456e3f36b2c66ffd0b7f0e9f25d162102adbeb1e269342b
SHA512f37e4be8d14e7a892b2f4f3c9f821627d53f553ded7bfa70cc75ec2acf3f1029a7cb28334f5f88c1f5e3503d8dcbb800ed5d4d5eeeedc4450231c62e968c9077