bd4899a49a765328a2d7f482b8ee08d9e5003e7961ad5fef43eab254515b6ac9

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.media.aggregator/bluebird.py
Size

12KB
MD5

c56cfe0c840f3e59ca134e65bd581d62
SHA1

8f6f9f217f135be7a7e2adf270a7cb42afd47727
SHA256

03e52f0d1a8e38a7f8901303a65a1e8b7419706eec30e9fefd19db713fb098a8
SHA512

7ca89032263fd5d5812a31ee9bac563c66d8349b1f1f5a28efd0ad01f81c987c1c33c9b9a00c587cd457d7432f2a6fa7a333ee0cf114cb93f44be6e1e94b1900
SSDEEP

192:ttcQZct7oCqH9pN1myaaJC3FNpsabIfp5tfhZcQNRZcHp6rrNTzgEKCW:ph9FgKC3FNpsa2bZ8HENTzeCW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	AcroRd32.exe
2512	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2840	2196	cmd.exe	29
PID 2196 wrote to memory of 2840	2196	cmd.exe	29
PID 2196 wrote to memory of 2840	2196	cmd.exe	29
PID 2840 wrote to memory of 2512	2840	rundll32.exe	30
PID 2840 wrote to memory of 2512	2840	rundll32.exe	30
PID 2840 wrote to memory of 2512	2840	rundll32.exe	30
PID 2840 wrote to memory of 2512	2840	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d20935ed5a60b9d954fccddae1b92233

SHA1
5a994d01db26419f8f82b18d38fc93056d4dc56e

SHA256
1212ac5509afd9fbdd0bfd95af6eeb023c05de969b2d6139f89c56ba9499f707

SHA512
59a586d4d15e5e932f2709d3349638451cc002e9137167418a13b43607cd459cd1d0f39b628326468772118aa28d6cab89563ea7076b8b44b732ae6e1888b2fe

Download Submit