b4eb8d4cb851d7834246e4ceb588f8065ed34f9ee755355708bed2546fd2a982

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Air_Bot.pyc
Size

96KB
MD5

3f6939f512b8ada4766bf6247aafe696
SHA1

7fa352ee9473c0ba7a6c8532d8da16e9b49783ab
SHA256

9aa0d3856b46c729494157e9a3ce054bcefd7830412b60da5f829d814efea441
SHA512

a3df6601e07c23b90e1888475e41a6ae751059a5ccfc3fea9e548872b296a14b5b937a8d7560707d09806a3ac7e231346b90413e8b0b25ef5e34cb87acf341aa
SSDEEP

1536:duMxS2bfD77mW73twP3OU0cWyOrAiPnkgDA:d22bSWDtNyyPkgDA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	AcroRd32.exe
2556	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2576	2952	cmd.exe	29
PID 2952 wrote to memory of 2576	2952	cmd.exe	29
PID 2952 wrote to memory of 2576	2952	cmd.exe	29
PID 2576 wrote to memory of 2556	2576	rundll32.exe	30
PID 2576 wrote to memory of 2556	2576	rundll32.exe	30
PID 2576 wrote to memory of 2556	2576	rundll32.exe	30
PID 2576 wrote to memory of 2556	2576	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Air_Bot.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Air_Bot.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Air_Bot.pyc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
35028614061457f1096265a41ecab4cf

SHA1
87936d0eca3cc8e8f0a550fd61d64730e084065d

SHA256
6d72ec34ec087d55202f02af9c40b141c9db3cb3de58ab0e516f2d03affe1b08

SHA512
d2ad9088de8fcda9b44cfa635697970a8034bbba4466d4f59405f981cf21dd9ae1c3b1cc4e9a97838fc58802c9fcb37324b55fa416448348264cb5b217cad0c1

Download Submit