0b98e645f29f6ebf364734cb2545e4623800e0f420ea1324b37eb55742a9f731

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 16:01

Target

script.media.aggregator/bluebird.py
Size

12KB
MD5

930589511a89486e3b83fd2534ddd884
SHA1

7e39ca5e5170d1f2642207fbf9a52103e6702033
SHA256

7b0ea6d3389ef0139b4ea2d290b67f682f090b6a68ee77ad183d913b844073f3
SHA512

93a5f87009c27119fc2d038cff9a04a92cf6a11ae2860df05213da8e6e77f9ac0e8306e0f203bf47d187f9785fe2b0e0d6c40d7ecd32b30b3b7d9cb88a5ba0e5
SSDEEP

192:ttcQZct7oCqH9pN1myacqI13FgDsrbIfp5tfhZcQNRZcHp6rrNTzgEKCW:ph9FgfI13FgDsr2bZ8HENTzeCW

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2116 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2116 AcroRd32.exe
2116 AcroRd32.exe

pid	process
2116	AcroRd32.exe

pid	process
2116	AcroRd32.exe
2116	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2232 wrote to memory of 2672	2232	cmd.exe	rundll32.exe
PID 2232 wrote to memory of 2672	2232	cmd.exe	rundll32.exe
PID 2232 wrote to memory of 2672	2232	cmd.exe	rundll32.exe
PID 2672 wrote to memory of 2116	2672	rundll32.exe	AcroRd32.exe
PID 2672 wrote to memory of 2116	2672	rundll32.exe	AcroRd32.exe
PID 2672 wrote to memory of 2116	2672	rundll32.exe	AcroRd32.exe
PID 2672 wrote to memory of 2116	2672	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\script.media.aggregator\bluebird.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2116

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cf824f0dbb0a2676d82a64bc752d8711

SHA1
2ad6f5b48ab365065f89cf0987d39a802084f6af

SHA256
5ee7b94543eda9e7b95142779eacf0c53241bc7d28cf522a688c4b22a8167b7b

SHA512
65a3424378ab7be5ed1fa6cc622aff43a0631cbf773eefc795bb92ab0879b80aaa9755be6a672e8ffd8157d4b212a126f8a69828c0f294e0719c929767cb9aab

Download Submit