Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 20:19
Static task
static1
Behavioral task
behavioral1
Sample
script.py
Resource
win7-20241010-en
General
-
Target
script.py
-
Size
1KB
-
MD5
447d04e6fcbef9b66eafa28b3a928a60
-
SHA1
4d716e1dd2520f1c9ab5d1a79f75c87a63101fa7
-
SHA256
6ec6c001e46e69a80acd54e349d6475a8198fc7178947c8cda9b56a244d6d6a3
-
SHA512
2c85aa2234e17bce10e51340fc99214e39fffe56b8c035aacd9be8f4a2c0806dcd8ce3f3762035904e43d4006e54f493fbccf32d7acdf9cfaec487453c5ece50
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2884 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2884 AcroRd32.exe 2884 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2760 2324 cmd.exe 31 PID 2324 wrote to memory of 2760 2324 cmd.exe 31 PID 2324 wrote to memory of 2760 2324 cmd.exe 31 PID 2760 wrote to memory of 2884 2760 rundll32.exe 33 PID 2760 wrote to memory of 2884 2760 rundll32.exe 33 PID 2760 wrote to memory of 2884 2760 rundll32.exe 33 PID 2760 wrote to memory of 2884 2760 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\script.py1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\script.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\script.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5eff8dc24000f3a84a3ac46973f198d5f
SHA15a41f0bd21821f84aedf7194b2c656fbb3f528c2
SHA256fd41312aecf1befd9ca4efede01eb540e4d56b3b2e9efe23f8c521b801a70c81
SHA5120dd2cd15b4fcad08c63513448506647bc2511b966b86c4be782e771b0abd5966924d7514270fcdff4a8709e4f9898c74446b7fe56923490061603a8b304d73d1