88a3cc48a8bcef7873b286ecaf3a4e618dd20fd478fd9fae1634bdb5b4b79461

Analysis

max time kernel
121s
max time network
132s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

docs/source/_ext/edit_on_github.py
Size

1KB
MD5

0f9e50635860b77ac62e43f758daa1cd
SHA1

90795a0943c192abb7867a7911f26e5c6d3246ee
SHA256

677bec1d3a5dd1b681b6819596302f162f97ecd058bf68000b0c5788861147ff
SHA512

44b9af8dc489ec287b49e9d07f7e89aeed468e65212028bdf4b789317f55d43a7e6ec691bc7e1f1a02c174d10aaa673d42561531db7bffbf9dc5298b374548be

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
112	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
112	AcroRd32.exe
112	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 948	2948	cmd.exe	31
PID 2948 wrote to memory of 948	2948	cmd.exe	31
PID 2948 wrote to memory of 948	2948	cmd.exe	31
PID 948 wrote to memory of 112	948	rundll32.exe	32
PID 948 wrote to memory of 112	948	rundll32.exe	32
PID 948 wrote to memory of 112	948	rundll32.exe	32
PID 948 wrote to memory of 112	948	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\docs\source\_ext\edit_on_github.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\docs\source\_ext\edit_on_github.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\docs\source\_ext\edit_on_github.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e176fd2f6e464ed65c3ae0983ff8c82e

SHA1
88f579d67a1b2f18b96489cd51ce24d08d2c4255

SHA256
ed2f59f4f99dbd5bd889584d0bc7b1e46080431ae30e07943b84551c509bd007

SHA512
986ca123fd0245e618cda0c5bf76a24432559ec88acec784961cd5d848d1f740889339fce4405f47140dbbc35144003820bd30174bc32312247e168cd3259e63

Download Submit