460550950795698b91eca429b99fe023999af2edf205d67d6462c190e1f4e6ca

Resubmissions

03/05/2024, 18:40

240503-xa7xwagb26 10

03/05/2024, 18:19

240503-wynngach5t 10

03/05/2024, 15:38

240503-s26fxaad2t 10

Analysis

max time kernel
90s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OSbot judicable/_internal/model/__init__.py
Size

116B
MD5

0bdfc1c10a91e52803f7e736f2b4a066
SHA1

5c5a52fea4754a670d0197b8951b74529a8892e5
SHA256

65b597a05a5f54759cf7f5584db5708ad6438404ec5cf5b66c4a65a5e5575c8a
SHA512

4127beb31d0bb536257ce926d5c6f928cda9745e9a7dfe8190c5802dbc2f322630d43b2590a0cddff2599ce79802defbd640fe419938ff394bd0108ba9d9a121

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	AcroRd32.exe
2400	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2580	1612	cmd.exe	29
PID 1612 wrote to memory of 2580	1612	cmd.exe	29
PID 1612 wrote to memory of 2580	1612	cmd.exe	29
PID 2580 wrote to memory of 2400	2580	rundll32.exe	30
PID 2580 wrote to memory of 2400	2580	rundll32.exe	30
PID 2580 wrote to memory of 2400	2580	rundll32.exe	30
PID 2580 wrote to memory of 2400	2580	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OSbot judicable\_internal\model\__init__.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OSbot judicable\_internal\model\__init__.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OSbot judicable\_internal\model\__init__.py"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7a5b6635be0d3f1ff7c90dfab7a25936

SHA1
4d3025f36f54bac53c65b4adc7493af78209263d

SHA256
032dcb4892a818c0240d969b70a5d06c14f44a7baaff0ef4f60822d5574f42d8

SHA512
308d4fd91a756a26b2abdba2faa524fb79167bd8ab9709b7b440383f73d10bf3e01d94f4ac3685da2aa33f756c63c1aa44497571c5ae9e1e37ea071382757297

Download Submit