190518021e3fac483be4fa77e86ad7dbf7479be7424c45ba165c2c064f27935a

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 20:52

Target

Boost Bot/config.json
Size

408B
MD5

a0d9d40adb30be2ce39593ef9e488074
SHA1

ff6ab671bc659772e657a7cb6ac2684908732484
SHA256

45e0003e49de6f614567017ae39f74343b3706cc65e1b41fcccc47c4ec6714c9
SHA512

c9528379fbfc64443335bf4e76417bb0b01e006ed88db1d8a2b3f8b8669814957d5a4e3b4d04f201cb05bdc1430f52bf5ec30bb8e024b55881ac2279f98f695a

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1764	1696	cmd.exe	28
PID 1696 wrote to memory of 1764	1696	cmd.exe	28
PID 1696 wrote to memory of 1764	1696	cmd.exe	28
PID 1764 wrote to memory of 1496	1764	rundll32.exe	29
PID 1764 wrote to memory of 1496	1764	rundll32.exe	29
PID 1764 wrote to memory of 1496	1764	rundll32.exe	29
PID 1764 wrote to memory of 1496	1764	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Boost Bot\config.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Boost Bot\config.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Boost Bot\config.json"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1496

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact