0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT ViewBot v2.0/Data/Lists.py
Size

2KB
MD5

58b844082767dd40b291276087b6323b
SHA1

41748aed3409eeb4be7a8d53b98a81fcfff2323d
SHA256

b21702251cf0e88c166088d4e08294b2b0c2f961da8056ac48c735243d554279
SHA512

f50268442358d511424d649603ce701cda7bb885cdfe005c8fbcdbde2b47784102b7196438d664ef4c32b5c317ad9e9b8ec7f1ed741d3aef399f378149c61547

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2540	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2540	AcroRd32.exe
2540	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2736	1752	cmd.exe	29
PID 1752 wrote to memory of 2736	1752	cmd.exe	29
PID 1752 wrote to memory of 2736	1752	cmd.exe	29
PID 2736 wrote to memory of 2540	2736	rundll32.exe	30
PID 2736 wrote to memory of 2540	2736	rundll32.exe	30
PID 2736 wrote to memory of 2540	2736	rundll32.exe	30
PID 2736 wrote to memory of 2540	2736	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\Data\Lists.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\Data\Lists.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\Data\Lists.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
727198f267492a84251db1535e3bc047

SHA1
49df73be0644ecffe57b57f3f1058a3c8b0c3a31

SHA256
cd9c4657e0a2a82898f454da5a5938d97638a2d5b34da5ba90fa1b177fab9df1

SHA512
502a67c559590a80b735ac17194187d639ad93977c224d816ed93476ee9d52e530c6f09c9754e5e38214637af7154fa5fd9444cf435450bd53fd701afdc7ca04

Download Submit