Analysis
-
max time kernel
88s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-it -
resource tags
arch:x64arch:x86image:win7-20240221-itlocale:it-itos:windows7-x64systemwindows -
submitted
03-06-2024 13:22
Behavioral task
behavioral1
Sample
marlbot-1.6.0-nextmortal.exe
Resource
win7-20231129-it
Behavioral task
behavioral2
Sample
marlbot-1.6.0-nextmortal.exe
Resource
win10v2004-20240508-it
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240221-it
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240508-it
General
-
Target
main.pyc
-
Size
54KB
-
MD5
285e7619bccd46aea0c6aff6bf8a02c3
-
SHA1
060c2079c38abaec500279556abd44ce514442ca
-
SHA256
f484f262d8c5fc6f9bc9fde3052716cad3be14677faf9f19ec574ad110d50395
-
SHA512
34bd0848ecf3c0733f5f1a7938347634e9bbb253b32bbc3efa0b98d6de35f3071196f0ec647d80ce43e1b175fef544eef91751e9d5ad35fa803cf2d3f8071d3c
-
SSDEEP
768:t3iNiTGSJknfjSE832dGGKGGpHT1gKdGwzChPM1PqhjX21:t3Bkn782dGGKGGpTdGsChPM1POjX0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2668 AcroRd32.exe 2668 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 1580 wrote to memory of 2588 1580 cmd.exe 29 PID 1580 wrote to memory of 2588 1580 cmd.exe 29 PID 1580 wrote to memory of 2588 1580 cmd.exe 29 PID 2588 wrote to memory of 2668 2588 rundll32.exe 30 PID 2588 wrote to memory of 2668 2588 rundll32.exe 30 PID 2588 wrote to memory of 2668 2588 rundll32.exe 30 PID 2588 wrote to memory of 2668 2588 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5cc5041dfc835e7a34c21ced60ab672f5
SHA1f4f1ea0b02fe8966e0c6c9b05cb2ea39f570e751
SHA256165d68ee075947ceb7fb1db642dd7478bd49a6e0227b8c97585a05c76a91a937
SHA5128081882f2f55949711114c55653f8d7f664f39d6ae5fefa8126aff4137ea72110555d941afa444a210fb7cee2397484878d28e994c3c09f65d1dc9af1a392fe6