a6f33d935bd9c016b3d0914fd35d0985fbfb52018048a90e93f83984be09da9d

Analysis

max time kernel
115s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 15:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

message1.py
Size

1KB
MD5

ca566887c66c27525204012ed37fa0a3
SHA1

7f324bc692121ab20d9123e7caeee6e53cc10236
SHA256

a73dd0f297a5d7005bf426c6b5203bd4a83e8d5f1c98164013708a870d5c58a5
SHA512

518e8180baf9b1f86435b5aef2424d9e660b625766d887ff9dfee1a9fc82a1c94c0ca1411e8d2b12f783edc64711a278604fc94c5fdae29d1692d2cc5039d3c2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	AcroRd32.exe
2792	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2964	1880	cmd.exe	31
PID 1880 wrote to memory of 2964	1880	cmd.exe	31
PID 1880 wrote to memory of 2964	1880	cmd.exe	31
PID 2964 wrote to memory of 2792	2964	rundll32.exe	33
PID 2964 wrote to memory of 2792	2964	rundll32.exe	33
PID 2964 wrote to memory of 2792	2964	rundll32.exe	33
PID 2964 wrote to memory of 2792	2964	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\message1.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\message1.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\message1.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4916db18c27ee77961cdf1b97032220c

SHA1
a003ef67f491e37e7082c7361ca9ab95e3151f84

SHA256
5f282c6c337bfda12bff8a8c89d20acd0d8daf1686cb4a1f895ed3d903f4fa75

SHA512
dcf1266e1432f5b9be66c742b976e318a500aa258a1789849387ea3c56558a933906abfe4c58ed3837e623e0a4c9770947035013eb523dd17f88e0c308230ccf

Download Submit