be86b8210011212f3bf52f0472652ac3bbe2663bc021c2a3c3582670dddd1592

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-Executor-master/expense_tracker/hooks.py
Size

5KB
MD5

693910ec7ece4aa888cb14c50572a2d5
SHA1

16b16b53d842c203f9e57d0402b9e5551394bf9c
SHA256

4e4628f62f940ce587f912370cac72b962af8547c452a94d2e63d1c4f02ac8c8
SHA512

4b4d051b36ee055c30109cc392ec49a364721cf23afc329a4ca9fa2092d6ecc55d083bb5e11b434cdfa8774a4b9c3436e1896104dd71476e50240a2e69450b70
SSDEEP

96:6JDs1ch1kQXOS25wcpAX2vPUx2EgrQIpQGPieL1C+M7O2uwLC:+Ds1ch1dOS25V+HZgrQIpQGPl5M7fuwG

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2768	3052	cmd.exe	31
PID 3052 wrote to memory of 2768	3052	cmd.exe	31
PID 3052 wrote to memory of 2768	3052	cmd.exe	31
PID 2768 wrote to memory of 2724	2768	rundll32.exe	32
PID 2768 wrote to memory of 2724	2768	rundll32.exe	32
PID 2768 wrote to memory of 2724	2768	rundll32.exe	32
PID 2768 wrote to memory of 2724	2768	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Xeno-Executor-master\expense_tracker\hooks.py
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Xeno-Executor-master\expense_tracker\hooks.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Xeno-Executor-master\expense_tracker\hooks.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2ea9fb427e11e6e48338c12e4376c28c

SHA1
34fee4152a747071997075da0987ffcccc809046

SHA256
db11d048fabdc629db2ca64f97924346c5ed7f6811bbee495fc5abb13ac9667b

SHA512
03a8e4c5fbb7d3bcc56e12ce80db0fbb408940d238d41d86539256be18a5c4e9c28f1489c688f83f9bb0eb60ff0f9d73f8376a9af1a99652c4bdbb2a2561fcea

Download Submit