Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 13:52 UTC

General

  • Target

    net8.0-windows/Astral_assets/obfuscation/obfuscation.py

  • Size

    6KB

  • MD5

    285744b7932bde6ca1bf8ca33534736a

  • SHA1

    44226fba522b7deb198ac8eb98bbd148c11ae1de

  • SHA256

    7445dc0c6dafacfe6cda1bf5ac93efb0eab39f1d1f787195c93a8d9b9d8aea75

  • SHA512

    a27b5aa08329bd841c76a7d89872b95f12b083970c8c343973a18d8b15739d88d61f651078d4beefb954d13ef50e1db30eff549512db318257016bca7ea28f44

  • SSDEEP

    96:BFokKZB5DqxqDxkyjAMwRw+UVt4LsevwLzRCS:BFoTqxyxHjV9nt4IevwLMS

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Astral_assets\obfuscation\obfuscation.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Astral_assets\obfuscation\obfuscation.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Astral_assets\obfuscation\obfuscation.py"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    3e18dce2f896690c1f5437f8eeb2e3b8

    SHA1

    07c2319d8132faae11376af8c09d5dd3111aa09f

    SHA256

    557277ccf3bc56ce8e2b9bc6b328a5c857ec5313d47acd6cd5d85fea32ad38c0

    SHA512

    1528e72dcbce67497f8dc7fe97e27a1d4f415d09c268a1e40eac6c3aa0b2d8cdbea9970122850d79bc98ccf0a891276fd9b47063fe2103452b1cd2434c7cadf3

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.