b2996c6d10e025cd4f31d3a4626d286807576df292eee40068109949370245c0

Analysis

max time kernel
845s
max time network
849s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.py
Size

34B
MD5

abaa9ea67cc53bc0205f56d0b66a22c3
SHA1

c28f2d35d0d12a3486489823cf74f0bf7f8b07b2
SHA256

99a23164675b43566e8c3ddaba774c973844e70d5cec1dbbfd6860b24f13a94e
SHA512

bb425d71279e0d3daee6e8a1e765ad2821d4c30609b66853277c4e8332525eb70f09ed3fb12301d0360b04141561a956ba666e29c1f892372a8224801e392a71

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	AcroRd32.exe
2928	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2760	2384	cmd.exe	31
PID 2384 wrote to memory of 2760	2384	cmd.exe	31
PID 2384 wrote to memory of 2760	2384	cmd.exe	31
PID 2760 wrote to memory of 2928	2760	rundll32.exe	33
PID 2760 wrote to memory of 2928	2760	rundll32.exe	33
PID 2760 wrote to memory of 2928	2760	rundll32.exe	33
PID 2760 wrote to memory of 2928	2760	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\builder.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\builder.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\builder.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1cda7bcd4cd4daf9e1388310e3d77f6b

SHA1
d21fb8d8722b502b5024f7d48b4f98e97edacc66

SHA256
455b4cf3824ece26b57248bcefe25e87c6e740440d67ddc0e23eee0c13745bfc

SHA512
ea7e57144cbd0919656a29f16665b5a53e52095282a3978922709c3effd35e26497b7ec1dbfe4361a7b7e77f8270c8b41d99621e07e7f350e76beb57f2bede31

Download Submit