Analysis
-
max time kernel
103s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 22:45
Behavioral task
behavioral1
Sample
Lunar.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Lunar.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
troll.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
troll.pyc
Resource
win10v2004-20240426-en
General
-
Target
troll.pyc
-
Size
2KB
-
MD5
f4c02d1f0a86849a1d6cdc0f996036d1
-
SHA1
0eedd3a627bee8d321553f5d97978216490af2e5
-
SHA256
a0a969ae358d472a5245fda0cccd062fd6a21e431356da6f6f8b55ccdd7982f8
-
SHA512
dc11a264125f21932a95f67c89766cdfe8aaa96c027181a8901b58e11c1831332d487317af967786f13ed0a1939128522626cfe3476010b2d18bb4060b7f31be
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2532 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2532 AcroRd32.exe 2532 AcroRd32.exe 2532 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2516 2040 cmd.exe 29 PID 2040 wrote to memory of 2516 2040 cmd.exe 29 PID 2040 wrote to memory of 2516 2040 cmd.exe 29 PID 2516 wrote to memory of 2532 2516 rundll32.exe 30 PID 2516 wrote to memory of 2532 2516 rundll32.exe 30 PID 2516 wrote to memory of 2532 2516 rundll32.exe 30 PID 2516 wrote to memory of 2532 2516 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\troll.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\troll.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\troll.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a429dfd97046a4c8c78914eab4a0df04
SHA18ac388cf0fd1fdc60e98be588e3426cb24b5ed54
SHA256b575d43416db77cacbb35f60e4ad599b84e47b09c0d962bf48a6180fed819e1c
SHA512e9cb220d221dcb7f81a5937391ef949fa2f2674fb3f7b819ff5704512f047f4ea6dcf5ea843e65acde8d28e6cf45a25473db47c5d0ed312ee76450d24bc309bf