Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 20:12

General

  • Target

    Rose-Stealer-main/utils/aes_encrypt.py

  • Size

    2KB

  • MD5

    2d308ed55531923e9b2c9a0502af8401

  • SHA1

    509e61f5ab8f4666b955ec71ce09c2081d07d8b6

  • SHA256

    89212b4a8408b8acbac15c698f7c5a1c89e62b9de8073ff93dc118013fe20a88

  • SHA512

    be73ae524bbc3251a647198f7f4fb7cf9a5ac3343603ceeceba407daed8bea24bf39a8c11fa7295c17dcb65308d70a8e23e0af659aea8f20537a48c6ee572f18

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    1db0b25502dbb6f7cc9e2126a6b9ffd6

    SHA1

    cfed81c44fa18aeab7c4b244883dee0ed323d659

    SHA256

    6940bd7c179e3a9ae9c2c259ad49cc8753012d6ee5cbd33d9cdfde1828d1298c

    SHA512

    c269a6c6c8cb7d08b06631754711fce5e350f88ed5b73c1e1f62e3f5a75f94767b5b56f0230f0afc1e8d1e19c834e9ec2974d2f6aefb888a157fdbb8dc5c19b2