0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT ViewBot v2.0/setup.py
Size

941B
MD5

eda4ba41910e22351b9181d552cf3b1c
SHA1

bf2fa5977b13b6ae80a4a1915d8025f75eca16fd
SHA256

1291ef03e04110780a294bb9608358901fb86ea235840fbd49ffe7beeb6c4da4
SHA512

1f6bcfd592c408acc45ec680ca78d01f15ed5ff3a7aaa632410923f4b661de671d9a5db6dd14b1695dcad37979b053df2d9d3067be8d5a51687bc583fda89ed2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	AcroRd32.exe
2636	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\setup.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\setup.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\setup.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0dac6cb10271c4571f104597bd8ad1fe

SHA1
3b0166b30d5e86a202ef98e53bd6d0f34a4eddf5

SHA256
6f71d59ccb957b9e0d46fc4c7eedc71fb19eb4967a4befb21f3e7da918bbe7c0

SHA512
e081574ac02d1ba368e2ac43fb0ad3c7f4768bb8efd3d56a4d5421786d4e5727f10bf4ee9eb69531ea7c124eba25def930e9d0fd0a16a1ea9dfbc445b01d7bb1

Download Submit