97fc9ca5e07295a9d9d91b8808a6a30e302fb66f7cc103aaf87501d8f8fb54ad

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rose-Grabber-main/resources/source/bin/crypto_miner.py
Size

71B
MD5

b0f36cd6e23369df9fe1c7a6677709b6
SHA1

d5b63ca9a4a196f0d9e35ec145c3280c3a45e621
SHA256

11adc8c705874e6b69f4eef85815860f2a90449eb134041ff941d6a84de22951
SHA512

061984e9fd85d9a7eceafae31c5b5ec554621178d0e38f56fdedd22aa6c914205e7a3c3cfe7ebd39c87471e8bc78d8a71f7adcd274147290c5fd1483d760d77a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2920	AcroRd32.exe
2920	AcroRd32.exe
2920	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2740	2280	cmd.exe	29
PID 2280 wrote to memory of 2740	2280	cmd.exe	29
PID 2280 wrote to memory of 2740	2280	cmd.exe	29
PID 2740 wrote to memory of 2920	2740	rundll32.exe	30
PID 2740 wrote to memory of 2920	2740	rundll32.exe	30
PID 2740 wrote to memory of 2920	2740	rundll32.exe	30
PID 2740 wrote to memory of 2920	2740	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\crypto_miner.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\crypto_miner.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\crypto_miner.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
87f36a8539a9175821789dec511344e9

SHA1
76617853398621fa8e8a468b5f6c48dffd93aba6

SHA256
2867555e2a67d1b7b34e2f8c3d6eab780d9e4e78b3eff7b900c5b7834f3d05a8

SHA512
39701c81bed7d2cc95f8435d19d920b8deea088dcb17d3ae66ea4f0c9d2788eb18ec24fbc5bc93754715ff228e53c72150ef4908b5308f159a81375592544065

Download Submit