Analysis Overview
SHA256
33dc853be9571e4fddcb07ab14fb1d1364394b8904eff403a04129a0efc49c81
Threat Level: Shows suspicious behavior
The file Boost bot leaked by LT.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 08:44
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:46
Platform
win11-20240426-en
Max time kernel
78s
Max time network
82s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Boost bot leaked by LT.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:46
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BoostBotSell\install.bat"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:46
Platform
win11-20240508-en
Max time kernel
3s
Max time network
6s
Command Line
Signatures
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4124 wrote to memory of 4304 | N/A | C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe | C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe |
| PID 4124 wrote to memory of 4304 | N/A | C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe | C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe
"C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe"
C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe
"C:\Users\Admin\AppData\Local\Temp\BoostBotSell\main.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:49874 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI41242\wheel-0.37.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\python39.dll
| MD5 | 5cd203d356a77646856341a0c9135fc6 |
| SHA1 | a1f4ac5cc2f5ecb075b3d0129e620784814a48f7 |
| SHA256 | a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a |
| SHA512 | 390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\base_library.zip
| MD5 | 3ca045cb85fe4437480ecc8f4b745d5d |
| SHA1 | f40c00afa5c916d73264c8e63acdd3a809af2556 |
| SHA256 | bcd1bf27833cec805c27fbb5e259eaea186d34f74e9e8d5394a1c8c01649b2d0 |
| SHA512 | c0bacbf5a5270fe4c25a7f1d6efdcaf6f4271509908b89d122b17d48384110ac47e6a78951c46571dee6cc07afd7f13cb419a279e35f1ce375dd1e9ac5e61bc0 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\python3.dll
| MD5 | e438f5470c5c1cb5ddbe02b59e13ad2c |
| SHA1 | ec58741bf0be7f97525f4b867869a3b536e68589 |
| SHA256 | 1dc81d8066d44480163233f249468039d3de97e91937965e7a369ae1499013da |
| SHA512 | bd8012b167dd37bd5b57521ca91ad2c9891a61866558f2cc8e80bb029d6f7d73c758fb5be7a181562640011e8b4b54afa3a12434ba00f445c1a87b52552429d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_ctypes.pyd
| MD5 | 6fe3827e6704443e588c2701568b5f89 |
| SHA1 | ac9325fd29dead82ccd30be3ee7ee91c3aaeb967 |
| SHA256 | 73acf2e0e28040cd696255abd53caaa811470b17a07c7b4d5a94f346b7474391 |
| SHA512 | be2502c006a615df30e61bea138bd1afca30640f39522d18db94df293c71df0a86c88df5fd5d8407daf1ccea6fac012d086212a3b80b8c32ede33b937881533a |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_socket.pyd
| MD5 | fd1cfe0f0023c5780247f11d8d2802c9 |
| SHA1 | 5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc |
| SHA256 | 258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6 |
| SHA512 | b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\select.pyd
| MD5 | 0e3cf5d792a3f543be8bbc186b97a27a |
| SHA1 | 50f4c70fce31504c6b746a2c8d9754a16ebc8d5e |
| SHA256 | c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460 |
| SHA512 | 224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_bz2.pyd
| MD5 | e91b4f8e1592da26bacaceb542a220a8 |
| SHA1 | 5459d4c2147fa6db75211c3ec6166b869738bd38 |
| SHA256 | 20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f |
| SHA512 | cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_lzma.pyd
| MD5 | 493c33ddf375b394b648c4283b326481 |
| SHA1 | 59c87ee582ba550f064429cb26ad79622c594f08 |
| SHA256 | 6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16 |
| SHA512 | a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\pyexpat.pyd
| MD5 | 96d55e550eb6f991783ece2bca53583d |
| SHA1 | 7b46eaae4e499a1f6604d3c81a85a0b827cc0b9e |
| SHA256 | f5d8188c6674cbd814abd1e0dd4e5a8bfadb28e31b5088ae6c4346473b03d17e |
| SHA512 | 254b926690a565bc31cae88183745397c99d00b5d5417ab517a8762c8874dff8fcc30a59bda1cd41b0e19e2d807ac417293a3a001005996a5d4db43b9b14d5eb |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\win32api.pyd
| MD5 | 0afa0ac73c1659570e529f51f3a0d8c6 |
| SHA1 | f4f7d659bcac3409395aa92a72ba90d0c7db204f |
| SHA256 | b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944 |
| SHA512 | 0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\pywintypes39.dll
| MD5 | 977f7ef232671b94251d8eaddd15390d |
| SHA1 | 97d9035a5f21df0267f4ae8cd203a92917aab970 |
| SHA256 | 4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6 |
| SHA512 | 1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\pythoncom39.dll
| MD5 | 3d4173aaa79ba343f2aa7c1ef69171cc |
| SHA1 | 43f410e02c0b5b8f7dc8c2ebf82c7584050f5674 |
| SHA256 | bceebaba98080a11b7eb83c8d43357a8b3387eeb03f40acccd834cf8f47316a1 |
| SHA512 | 76322c3646050559695355a931d310283e9672cf95742de676884e9810a5440f2b13d84f007bae8d996d67ab20d546cd616eeeb7a47f0cfe63424c901c9dddf0 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_ssl.pyd
| MD5 | 34b1d4db44fc3b29e8a85dd01432535f |
| SHA1 | 3189c207370622c97c7c049c97262d59c6487983 |
| SHA256 | e4aa33b312cec5aa5a0b064557576844879e0dccc40047c9d0a769a1d03f03f6 |
| SHA512 | f5f3dcd48d01aa56bd0a11eee02c21546440a59791ced2f85cdac81da1848ef367a93ef4f10fa52331ee2edea93cbcc95a0f94c0ccefa5d19e04ae5013563aee |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\libssl-1_1.dll
| MD5 | 50bcfb04328fec1a22c31c0e39286470 |
| SHA1 | 3a1b78faf34125c7b8d684419fa715c367db3daa |
| SHA256 | fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9 |
| SHA512 | 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_asyncio.pyd
| MD5 | 86c1fa7f84e05043885f0e510508d409 |
| SHA1 | 397806fdb6dbf7c513c18b0e56032e0eddf4a250 |
| SHA256 | 69a7e18b4284aee2d796320cb81079ed4419d643dc58f342e2bee83eef1f215b |
| SHA512 | 9be67af77324add7641d1d8717a8037abc7d71573310b2df593b6d502193ce07f7a17496ed6b01546d3b9428eac1d043f8decf25be663f14d20c1402b162c76a |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_overlapped.pyd
| MD5 | 0d41b13272bdf3655470f280009a67e5 |
| SHA1 | 47285ca0a012fa747ec0f441266c88792847842b |
| SHA256 | 8cd7e2c9892146816357c3e045ab7571959f6355f17a2cc6d8e72c184d67be2d |
| SHA512 | 2db7d0f2210798bba2fd416876ee2f212c1d153d839f38660e7d0c6e2b5e51d96c7d400b3a477da02aa5027a3701da4341bf96a393997851c79a2ae9fb686945 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\yarl\_quoting_c.cp39-win_amd64.pyd
| MD5 | 584a1c4fdc8ebf52a8d80858ea778136 |
| SHA1 | cd7b89c764d2f8108b8731f180d4301512ba44a1 |
| SHA256 | 092138b87464109479c49a57ad3d48cdfffac2a05d27e1f79de6327e074d34c2 |
| SHA512 | 7fc6064a6531fafd5446ab106223b6f51fe7150861ebf77a7a61a44fb7d16e51757857884a5a6f7efb2d8535e0a79ca9ea4cf7cac22d2e869e128f90a255ecc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\unicodedata.pyd
| MD5 | 7af51031368619638cca688a7275db14 |
| SHA1 | 64e2cc5ac5afe8a65af690047dc03858157e964c |
| SHA256 | 7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6 |
| SHA512 | fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_hashlib.pyd
| MD5 | 7c69cb3cb3182a97e3e9a30d2241ebed |
| SHA1 | 1b8754ff57a14c32bcadc330d4880382c7fffc93 |
| SHA256 | 12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20 |
| SHA512 | 96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_uuid.pyd
| MD5 | 71ab50ef5e336b855e6289b0ac3e712d |
| SHA1 | e06c3b0d482623393d2e2179de0ff56eb99c4240 |
| SHA256 | 6f1cc2d6a770f1b441dc6371decae414ea1bd509b0e37b423faa33fc98a28b7e |
| SHA512 | 345b4d664f3bc29cfb743a95f78898651f8d3d1ac1365b89690068888202ee58f59f341466f26bb94bd568b67f2d3fcf2e5f022c9c25f2ca25d5baf0aa514682 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\aiohttp\_helpers.cp39-win_amd64.pyd
| MD5 | 6815a1c38a30d6ae70027184c09adccf |
| SHA1 | ce5afe856c4445d173c0d524f139d1aed3cc4e65 |
| SHA256 | 399dfeee9a2f8c6a132c2d4d28931f4c6c0f1d1394de54b182a6457d9143a418 |
| SHA512 | efd4fa17a9611ca4337cc667b164e83745bbc4043c226e684957146c9bc2ba37c892940845ec2ff0142d3fe604654a12bf05022782d0c0c3194e4d109b5ebf4f |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\aiohttp\_http_writer.cp39-win_amd64.pyd
| MD5 | 1a518361de37d98224ff98bf47618ecf |
| SHA1 | f81def8f71d203aaf68774f6e1158ccceb5806bc |
| SHA256 | 84e8b37d6fd0162610deb3c1d4887f70e6447850321eea846f860efc2862704b |
| SHA512 | 7ffef935ba56e2bbad0c569e63f5d33d83dfc72e10252ee259c6fff9859c4e302405a8c017012a9efa6da40ecc1de1ad3248a89404d8532b78b177a6d2ce305f |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\_brotli.cp39-win_amd64.pyd
| MD5 | 2c7528407abfd7c6ef08f7bcf2e88e21 |
| SHA1 | ee855c0cde407f9a26a9720419bf91d7f1f283a7 |
| SHA256 | 093ab305d9780373c3c7d04d19244f5e48c48e71958963ceca6211d5017a4441 |
| SHA512 | 93e7c12a6038778fcda30734d933b869f93e3b041bb6940852404641a599fe9c8ee1168a2e99dcfb624f84c306aff99757d17570febabc259908c8f6cda4dbea |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\VCRUNTIME140_1.dll
| MD5 | 9cff894542dc399e0a46dee017331edf |
| SHA1 | d1e889d22a5311bd518517537ca98b3520fc99ff |
| SHA256 | b1d3b6b3cdeb5b7b8187767cd86100b76233e7bbb9acf56c64f8288f34b269ca |
| SHA512 | ca254231f12bdfc300712a37d31777ff9d3aa990ccc129129fa724b034f3b59c88ed5006a5f057348fa09a7de4a0c2e0fb479ce06556e2059f919ddd037f239e |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\aiohttp\_http_parser.cp39-win_amd64.pyd
| MD5 | 67946fe0102b3555988a8edd321946c0 |
| SHA1 | a93b16df8e9ccbfe2892e4676f58a695cde9604a |
| SHA256 | 636a925eb31c3a7de39cb9495613b13570606a0672d3e699cb6983287e0c01e3 |
| SHA512 | 786a4e6c49f77bf6cffce5c98cbc66d518075309dacc4c3df286d3c3bc21f7c0cf7986bf85e374827ec7951c13acdd031e76c336bd1fb4fd265aa03a8a28dfd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\aiohttp\_websocket.cp39-win_amd64.pyd
| MD5 | 5fdb53cff23dc82384c70db00ada94c0 |
| SHA1 | c52391eadeafe9933682c7dbee182200b0640688 |
| SHA256 | d1c463b5c7a878ef5358a63bb0ea9e87311fe1f416f762bd18b4888c170c647f |
| SHA512 | 2d81e2eed6b4f37c4178141a24cf4475d27378a5bad3b6f8af022b185050ee9832de5db31271e5ca6e5e397f2e8a2a36edf9ca7eb6e0a9b918e3e8618c22e60b |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\MSVCP140.dll
| MD5 | bf78c15068d6671693dfcdfa5770d705 |
| SHA1 | 4418c03c3161706a4349dfe3f97278e7a5d8962a |
| SHA256 | a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb |
| SHA512 | 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\aiohttp\_frozenlist.cp39-win_amd64.pyd
| MD5 | f2454e08f168a9af3b6aabf41c5488e3 |
| SHA1 | 3ba72153103db0292c555eba4f43f37bddd43a51 |
| SHA256 | 6a563a4ddc233ed5f01f8635d590366b5a078ac73a28a82d837f24bec23dd14f |
| SHA512 | 3b2008e5ff3009664d7eeafffc3c8bfe420e337177a3f6926314773d65b6622a09b192e893ec50f0b366f356c9b4768358e352cba96127f85f529ce255eb8c93 |
C:\Users\Admin\AppData\Local\Temp\_MEI41242\nacl\_sodium.pyd
| MD5 | f2f8c186dbb91b3dddf6aa7b44ee05d4 |
| SHA1 | 95eb61564c5191e59ca5e359646e9564d77a6f97 |
| SHA256 | ca83a6731e6d49ccb86d94601b148bd4cc36ad89f9cdaae6eec46481047d13ec |
| SHA512 | ae2c2ef8abf304cd9132add4cc2f08c4c5486ad96058351fe101788d014a04cb554dec5fab779f9a2ccb9d13ffac45dca3db89e36de163076e5b4c9ff171738e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\pytransform\__init__.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\pytransform\__pycache__\__init__.cpython-39.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 788 wrote to memory of 3608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 788 wrote to memory of 3608 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\readme.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BoostBotSell\readme.txt
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\settings.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240508-en
Max time kernel
1s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\used.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240508-en
Max time kernel
34s
Max time network
36s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BoostBotSell\pytransform\_pytransform.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1740-0-0x0000000070A00000-0x0000000070B2F000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240426-en
Max time kernel
0s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4924 wrote to memory of 1928 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4924 wrote to memory of 1928 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\requirements.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BoostBotSell\requirements.txt
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-04 08:44
Reported
2024-06-04 08:45
Platform
win11-20240508-en
Max time kernel
36s
Max time network
41s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 1604 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1504 wrote to memory of 1604 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BoostBotSell\todobeforestart.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BoostBotSell\todobeforestart.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |