0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT ViewBot v2.0/.gitignore
Size

2KB
MD5

da211c7c93bf4e8861af1dc2616c9548
SHA1

eb7d1ec41dbdbf2a89c4c62000b0f6b8313d8c15
SHA256

fcc9443ae95fc4cfd56aed31937d8060e03212a92707615fed5ee59e0b38def6
SHA512

75c7e19808d263a91d226722d36f5c93cfa02607557977abe10e6c79714e012c98182fabb048e630ec647c937246a29deb5a888419cc00cb4b195c378918b7de

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.gitignore\ = "gitignore_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.gitignore	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\gitignore_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	AcroRd32.exe
2584	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2536	2176	cmd.exe	29
PID 2176 wrote to memory of 2536	2176	cmd.exe	29
PID 2176 wrote to memory of 2536	2176	cmd.exe	29
PID 2536 wrote to memory of 2584	2536	rundll32.exe	30
PID 2536 wrote to memory of 2584	2536	rundll32.exe	30
PID 2536 wrote to memory of 2584	2536	rundll32.exe	30
PID 2536 wrote to memory of 2584	2536	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\.gitignore"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\.gitignore
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\.gitignore"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
61ed837117b4e9d837fdcca9a0954a21

SHA1
bbe407eb5b738e70e48c21906a1121c8e4c499d3

SHA256
509b730f4d46647bd17d4903fcfc307ab07e43d6a274ad8151ab785f27639b68

SHA512
d7b033930a46b2dbf096f2e3138b2efea67bd58bc0db94f097cf4a6fdfb647668bb8bd1a99c63c7772e97d6583d03ad8b5dfaf8e2ffb61e2d91f55f317039e6f

Download Submit