0654c8c5ee06bc8187528d4e26ea7fbcb3788fb2dcd0f675535273f3fe0296a0

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/obs-plugins/frontend-tools/scripts/url-text.py
Size

2KB
MD5

5820b5ea1bca3926e4ab2ad78d441a48
SHA1

33fd263ebfaa5523e51414cd259a665ece96429b
SHA256

1e899b99e392b3779830f048466e70b0faca1d8bf541937eebb38bc1384f48a4
SHA512

6d234623d25cf8a90df779eb931d60acfb6e22e9e0ecdb18383543fc3253c4acf8f3db6d8b08a805a9fb614bfd6f4c2a845e863a2e494a26ae9c29b858d2ba56

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	AcroRd32.exe
2600	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2744	1104	cmd.exe	32
PID 1104 wrote to memory of 2744	1104	cmd.exe	32
PID 1104 wrote to memory of 2744	1104	cmd.exe	32
PID 2744 wrote to memory of 2600	2744	rundll32.exe	33
PID 2744 wrote to memory of 2600	2744	rundll32.exe	33
PID 2744 wrote to memory of 2600	2744	rundll32.exe	33
PID 2744 wrote to memory of 2600	2744	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\frontend-tools\scripts\url-text.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\frontend-tools\scripts\url-text.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\frontend-tools\scripts\url-text.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b7673baaa213b8e868193ecd1ad84524

SHA1
dcc1f9e6477c1c4a8f5935551f4225826a68d6e7

SHA256
caada01c669aca9a4554bfb3799b9749fa77b068becf11d4cb70f0006f9f90e0

SHA512
322979728e2bb34d27c41a38ad5416aecc8ab85c6eb84652fd2ffa3843329ddfbf6ce52b3bbe8ef98c2b5518bb38ad82ddbf347c392810cafcb49716daa0ac03

Download Submit