Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
RDDoS_Tool-1.2/RDDoS_Tool.py
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RDDoS_Tool-1.2/RDDoS_Tool.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
RDDoS_Tool-1.2/setup.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral4
Sample
RDDoS_Tool-1.2/setup.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral5
Sample
RDDoS_Tool-1.2/setup.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral6
Sample
RDDoS_Tool-1.2/setup.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
RDDoS_Tool-1.2/RDDoS_Tool.py
-
Size
5KB
-
MD5
19d57d20cbbb7ac44561da4734195944
-
SHA1
c818c0eac42c267baa1b0bbbb7532585834b1b52
-
SHA256
7d9d0acb8f30998bf9ddf30d69105db7752b5c01e42aa2ea189a1e1a082610be
-
SHA512
5cbaecd848d437a75f02cccda91ebec375040762091db175aa3371b5afb2897d164583de7692ab899662e222e05332fcd977a863e7a24827260aae64f41f3ca9
-
SSDEEP
96:eRoSk89dQGRt5yrB35j4BK0lfwS8Xsd0y08b:HHu3tQN3dKRlfwS8XsdP0q
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2884 AcroRd32.exe 2884 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 768 wrote to memory of 2428 768 cmd.exe 31 PID 768 wrote to memory of 2428 768 cmd.exe 31 PID 768 wrote to memory of 2428 768 cmd.exe 31 PID 2428 wrote to memory of 2884 2428 rundll32.exe 33 PID 2428 wrote to memory of 2884 2428 rundll32.exe 33 PID 2428 wrote to memory of 2884 2428 rundll32.exe 33 PID 2428 wrote to memory of 2884 2428 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RDDoS_Tool-1.2\RDDoS_Tool.py1⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RDDoS_Tool-1.2\RDDoS_Tool.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RDDoS_Tool-1.2\RDDoS_Tool.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a594cdd0577aedd4032c093903d3571d
SHA104d9e08dde26fdc32f376603b2700fc0e868f686
SHA256f0c28806c27d01f3f79555297b106a870804f1d01fe48f7dc5c830836e462b3e
SHA512f1f1ec150b8734487d9bcda3c7e14f0baa92eaa2e39fe44c432f7580bbcdbc815cb410249ff52e1a86d957d38640dd8e9e6b7e016f5173f65a8847605236d423