c94ecb268a02274d58417706b8ff0deddf21036a68c4ad692cdf43127905e541

Resubmissions

28-02-2024 03:00

240228-dhl6lahh24 10

28-02-2024 02:56

240228-dfe99shg73 10

28-02-2024 02:49

240228-dbbraahf62 10

28-02-2024 02:45

240228-c81k8shd8s 10

Analysis

max time kernel
77s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boobies.pyc
Size

29KB
MD5

e6b6c704fe4a55e2bd73ee2888e2bfb2
SHA1

77e532787b7b56321e405a710e9f63895020298f
SHA256

d1f80380fe99d7d9a052f145c6abc1b7ce844ec040f967bc4d120aa6ea4b1a1a
SHA512

91582b076bdd4976de8bd51b7c54397f25025f4b6668c33c58936a9c8d269afffb124fa74f6ef4f7354ef994b2f0f20fb27b0cc779d0b744fd77e56dc2034156
SSDEEP

768:3+lVSpnrWWk/4VDiiyAuoGyXzPBfIfTVRWSrdbHsJ1Kh7C5r:30StrWqG3KDBfI5RgKh7Qr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	AcroRd32.exe
2728	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2680	2956	cmd.exe	29
PID 2956 wrote to memory of 2680	2956	cmd.exe	29
PID 2956 wrote to memory of 2680	2956	cmd.exe	29
PID 2680 wrote to memory of 2728	2680	rundll32.exe	30
PID 2680 wrote to memory of 2728	2680	rundll32.exe	30
PID 2680 wrote to memory of 2728	2680	rundll32.exe	30
PID 2680 wrote to memory of 2728	2680	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Boobies.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Boobies.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Boobies.pyc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
bd65b9ab2ddb91a5839c932ab9f1592a

SHA1
187d1fc8c699a38668fa9f3d4a1649cc96aeeec1

SHA256
567a770eb93386958bb06f63b99ca74b14320b90f28bde5f0ecb71ba88dcb35a

SHA512
19588670fb49f3f9c8935f76bafb27665b168cef8fb2c3714600bb2140743f83fe263950ccdb1202f188d61d806ee09e8d932e524e75543e53531acae2d0930f

Download Submit