97fc9ca5e07295a9d9d91b8808a6a30e302fb66f7cc103aaf87501d8f8fb54ad

Analysis

max time kernel
154s
max time network
138s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rose-Grabber-main/resources/source/bin/antivm.py
Size

14KB
MD5

419246ff7441d4f0be8d8ea0394969ba
SHA1

30bb147e9065e58968f315bb3e55d3c7f24769f8
SHA256

d504658dedc9665fc13bb0e83a0ab35d69faabaf280f9a6abf939ba3dfe5697f
SHA512

0f82d63e617886e822440fcdc1007faa95e1be3b96f792a466a9b0115ac2b98ce30c1023bceb4e902acd6f8e2dc9fb50d9a4f91863a6dc288a43fbb6143d3991
SSDEEP

192:VzrmhXMuzuf/T2K0iKe8T1Hk6OIQd/v0BZtt/vDtoe1/3/IV/IG/D/6/DRKhAEmw:NKwAeQfOIQkZiqPKKEmw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2704	AcroRd32.exe
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2188	2232	cmd.exe	29
PID 2232 wrote to memory of 2188	2232	cmd.exe	29
PID 2232 wrote to memory of 2188	2232	cmd.exe	29
PID 2188 wrote to memory of 2704	2188	rundll32.exe	30
PID 2188 wrote to memory of 2704	2188	rundll32.exe	30
PID 2188 wrote to memory of 2704	2188	rundll32.exe	30
PID 2188 wrote to memory of 2704	2188	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\antivm.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\antivm.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Grabber-main\resources\source\bin\antivm.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
91c5b6cdc2ff1b573b28aa6900d65c6f

SHA1
1549cbb3a34bfea8fe2a14a03744f4ba72e149d4

SHA256
89b333f11cf6bc10b181e64e45d4724d6515a074e46c096d37786266eafb61d0

SHA512
44f98b798aa1326dad5955ed91bda5cd418c07d77a182a8c120ab216ae16ddb20047729f24881e2b7b05623a83e6f12813263d53b020892e01bb539ac0fdd64a

Download Submit