Analysis
-
max time kernel
845s -
max time network
849s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 11:03
Behavioral task
behavioral1
Sample
boostrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
boostrapper.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
builder.py
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
builder.py
Resource
win10v2004-20250314-en
General
-
Target
builder.py
-
Size
34B
-
MD5
abaa9ea67cc53bc0205f56d0b66a22c3
-
SHA1
c28f2d35d0d12a3486489823cf74f0bf7f8b07b2
-
SHA256
99a23164675b43566e8c3ddaba774c973844e70d5cec1dbbfd6860b24f13a94e
-
SHA512
bb425d71279e0d3daee6e8a1e765ad2821d4c30609b66853277c4e8332525eb70f09ed3fb12301d0360b04141561a956ba666e29c1f892372a8224801e392a71
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2928 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 AcroRd32.exe 2928 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2760 2384 cmd.exe 31 PID 2384 wrote to memory of 2760 2384 cmd.exe 31 PID 2384 wrote to memory of 2760 2384 cmd.exe 31 PID 2760 wrote to memory of 2928 2760 rundll32.exe 33 PID 2760 wrote to memory of 2928 2760 rundll32.exe 33 PID 2760 wrote to memory of 2928 2760 rundll32.exe 33 PID 2760 wrote to memory of 2928 2760 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\builder.py1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\builder.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\builder.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51cda7bcd4cd4daf9e1388310e3d77f6b
SHA1d21fb8d8722b502b5024f7d48b4f98e97edacc66
SHA256455b4cf3824ece26b57248bcefe25e87c6e740440d67ddc0e23eee0c13745bfc
SHA512ea7e57144cbd0919656a29f16665b5a53e52095282a3978922709c3effd35e26497b7ec1dbfe4361a7b7e77f8270c8b41d99621e07e7f350e76beb57f2bede31