Overview
overview
10Static
static
INV_Scan_Jan.lnk
windows7-x64
10INV_Scan_Jan.lnk
windows10-2004-x64
10Requirements.lnk
windows7-x64
3Requirements.lnk
windows10-2004-x64
7hublamjogk...yU.cmd
windows7-x64
1hublamjogk...yU.cmd
windows10-2004-x64
1hublamjogk...ng.dll
windows7-x64
1hublamjogk...ng.dll
windows10-2004-x64
1projectt.py
windows7-x64
3projectt.py
windows10-2004-x64
3python.exe
windows7-x64
1python.exe
windows10-2004-x64
1pythonw.exe
windows7-x64
1pythonw.exe
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-01-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
INV_Scan_Jan.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INV_Scan_Jan.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Requirements.lnk
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Requirements.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
hublamjogk/skysurfing.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
hublamjogk/skysurfing.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
projectt.py
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
projectt.py
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
python.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
python.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
pythonw.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
pythonw.exe
Resource
win10v2004-20221111-en
General
-
Target
projectt.py
-
Size
551B
-
MD5
bd4dab365285c2c3557af8335632b5af
-
SHA1
8c344c5b9559c029f519b65a7cf893bb4b15a6e9
-
SHA256
d712f823065d710535392c8c80b6c874da06f68b707c7e18306344eb99c5847c
-
SHA512
bf1910784a2319bce5ae45866fa66d27ac2e535b43fb5f7dea097dff41ee26562387d32737c2e5c9cd8f8bfa7645d30b22fd1b7e91d819c7fe76f37bcd3edced
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1712 AcroRd32.exe 1712 AcroRd32.exe 1712 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1940 wrote to memory of 2032 1940 cmd.exe rundll32.exe PID 1940 wrote to memory of 2032 1940 cmd.exe rundll32.exe PID 1940 wrote to memory of 2032 1940 cmd.exe rundll32.exe PID 2032 wrote to memory of 1712 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1712 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1712 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1712 2032 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\projectt.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\projectt.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\projectt.py"3⤵
- Suspicious use of SetWindowsHookEx